Inicio Explorar Axuda
Iniciar sesión
golang
/
netmaker
réplica de https://github.com/gravitl/netmaker
2
0
Fork 0
Ficheiros Incidencias 0 Wiki
Rama: ACC-638
Ramas Etiquetas
netmaker
/
controllers
/
user.go

user.go 25 KB
Permalink Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739 
  1. package controller
    2. 

  2. 

  3. import (
    4. 

  4. 	"encoding/json"
    5. 

  5. 	"errors"
    6. 

  6. 	"fmt"
    7. 

  7. 	"net/http"
    8. 

  8. 	"net/url"
    9. 

  9. 	"reflect"
    10. 

  10. 

  11. 	"github.com/gorilla/mux"
    12. 

  12. 	"github.com/gorilla/websocket"
    13. 

  13. 	"github.com/gravitl/netmaker/auth"
    14. 

  14. 	"github.com/gravitl/netmaker/logger"
    15. 

  15. 	"github.com/gravitl/netmaker/logic"
    16. 

  16. 	"github.com/gravitl/netmaker/models"
    17. 

  17. 	"github.com/gravitl/netmaker/mq"
    18. 

  18. 	"github.com/gravitl/netmaker/servercfg"
    19. 

  19. 	"golang.org/x/exp/slog"
    20. 

  20. )
    21. 

  21. 

  22. var (
    23. 

  23. 	upgrader = websocket.Upgrader{}
    24. 

  24. )
    25. 

  25. 

  26. var ListRoles = listRoles
    27. 

  27. 

  28. func userHandlers(r *mux.Router) {
    29. 

  29. 	r.HandleFunc("/api/users/adm/hassuperadmin", hasSuperAdmin).Methods(http.MethodGet)
    30. 

  30. 	r.HandleFunc("/api/users/adm/createsuperadmin", createSuperAdmin).Methods(http.MethodPost)
    31. 

  31. 	r.HandleFunc("/api/users/adm/transfersuperadmin/{username}", logic.SecurityCheck(true, http.HandlerFunc(transferSuperAdmin))).
    32. 

  32. 		Methods(http.MethodPost)
    33. 

  33. 	r.HandleFunc("/api/users/adm/authenticate", authenticateUser).Methods(http.MethodPost)
    34. 

  34. 	r.HandleFunc("/api/users/{username}", logic.SecurityCheck(true, http.HandlerFunc(updateUser))).Methods(http.MethodPut)
    35. 

  35. 	r.HandleFunc("/api/users/{username}", logic.SecurityCheck(true, checkFreeTierLimits(limitChoiceUsers, http.HandlerFunc(createUser)))).Methods(http.MethodPost)
    36. 

  36. 	r.HandleFunc("/api/users/{username}", logic.SecurityCheck(true, http.HandlerFunc(deleteUser))).Methods(http.MethodDelete)
    37. 

  37. 	r.HandleFunc("/api/users/{username}", logic.SecurityCheck(false, logic.ContinueIfUserMatch(http.HandlerFunc(getUser)))).Methods(http.MethodGet)
    38. 

  38. 	r.HandleFunc("/api/v1/users", logic.SecurityCheck(false, logic.ContinueIfUserMatch(http.HandlerFunc(getUserV1)))).Methods(http.MethodGet)
    39. 

  39. 	r.HandleFunc("/api/users", logic.SecurityCheck(true, http.HandlerFunc(getUsers))).Methods(http.MethodGet)
    40. 

  40. 	r.HandleFunc("/api/v1/users/roles", logic.SecurityCheck(true, http.HandlerFunc(ListRoles))).Methods(http.MethodGet)
    41. 

  41. 

  42. }
    43. 

  43. 

  44. // @Summary     Authenticate a user to retrieve an authorization token
    45. 

  45. // @Router      /api/users/adm/authenticate [post]
    46. 

  46. // @Tags        Auth
    47. 

  47. // @Accept      json
    48. 

  48. // @Param       body body models.UserAuthParams true "Authentication parameters"
    49. 

  49. // @Success     200 {object} models.SuccessResponse
    50. 

  50. // @Failure     400 {object} models.ErrorResponse
    51. 

  51. // @Failure     401 {object} models.ErrorResponse
    52. 

  52. // @Failure     500 {object} models.ErrorResponse
    53. 

  53. func authenticateUser(response http.ResponseWriter, request *http.Request) {
    54. 

  54. 

  55. 	// Auth request consists of Mac Address and Password (from node that is authorizing
    56. 

  56. 	// in case of Master, auth is ignored and mac is set to "mastermac"
    57. 

  57. 	var authRequest models.UserAuthParams
    58. 

  58. 	var errorResponse = models.ErrorResponse{
    59. 

  59. 		Code: http.StatusInternalServerError, Message: "W1R3: It's not you it's me.",
    60. 

  60. 	}
    61. 

  61. 

  62. 	if !servercfg.IsBasicAuthEnabled() {
    63. 

  63. 		logic.ReturnErrorResponse(
    64. 

  64. 			response,
    65. 

  65. 			request,
    66. 

  66. 			logic.FormatError(fmt.Errorf("basic auth is disabled"), "badrequest"),
    67. 

  67. 		)
    68. 

  68. 		return
    69. 

  69. 	}
    70. 

  70. 

  71. 	decoder := json.NewDecoder(request.Body)
    72. 

  72. 	decoderErr := decoder.Decode(&authRequest)
    73. 

  73. 	defer request.Body.Close()
    74. 

  74. 	if decoderErr != nil {
    75. 

  75. 		logger.Log(0, "error decoding request body: ",
    76. 

  76. 			decoderErr.Error())
    77. 

  77. 		logic.ReturnErrorResponse(response, request, errorResponse)
    78. 

  78. 		return
    79. 

  79. 	}
    80. 

  80. 	if val := request.Header.Get("From-Ui"); val == "true" {
    81. 

  81. 		// request came from UI, if normal user block Login
    82. 

  82. 		user, err := logic.GetUser(authRequest.UserName)
    83. 

  83. 		if err != nil {
    84. 

  84. 			logger.Log(0, authRequest.UserName, "user validation failed: ",
    85. 

  85. 				err.Error())
    86. 

  86. 			logic.ReturnErrorResponse(response, request, logic.FormatError(err, "unauthorized"))
    87. 

  87. 			return
    88. 

  88. 		}
    89. 

  89. 		role, err := logic.GetRole(user.PlatformRoleID)
    90. 

  90. 		if err != nil {
    91. 

  91. 			logic.ReturnErrorResponse(response, request, logic.FormatError(errors.New("access denied to dashboard"), "unauthorized"))
    92. 

  92. 			return
    93. 

  93. 		}
    94. 

  94. 		if role.DenyDashboardAccess {
    95. 

  95. 			logic.ReturnErrorResponse(response, request, logic.FormatError(errors.New("access denied to dashboard"), "unauthorized"))
    96. 

  96. 			return
    97. 

  97. 		}
    98. 

  98. 	}
    99. 

  99. 	user, err := logic.GetUser(authRequest.UserName)
    100. 

  100. 	if err != nil {
    101. 

  101. 		logic.ReturnErrorResponse(response, request, logic.FormatError(err, "unauthorized"))
    102. 

  102. 		return
    103. 

  103. 	}
    104. 

  104. 	if logic.IsOauthUser(user) == nil {
    105. 

  105. 		logic.ReturnErrorResponse(response, request, logic.FormatError(errors.New("user is registered via SSO"), "badrequest"))
    106. 

  106. 		return
    107. 

  107. 	}
    108. 

  108. 	username := authRequest.UserName
    109. 

  109. 	jwt, err := logic.VerifyAuthRequest(authRequest)
    110. 

  110. 	if err != nil {
    111. 

  111. 		logger.Log(0, username, "user validation failed: ",
    112. 

  112. 			err.Error())
    113. 

  113. 		logic.ReturnErrorResponse(response, request, logic.FormatError(err, "badrequest"))
    114. 

  114. 		return
    115. 

  115. 	}
    116. 

  116. 

  117. 	if jwt == "" {
    118. 

  118. 		// very unlikely that err is !nil and no jwt returned, but handle it anyways.
    119. 

  119. 		logger.Log(0, username, "jwt token is empty")
    120. 

  120. 		logic.ReturnErrorResponse(
    121. 

  121. 			response,
    122. 

  122. 			request,
    123. 

  123. 			logic.FormatError(errors.New("no token returned"), "internal"),
    124. 

  124. 		)
    125. 

  125. 		return
    126. 

  126. 	}
    127. 

  127. 

  128. 	var successResponse = models.SuccessResponse{
    129. 

  129. 		Code:    http.StatusOK,
    130. 

  130. 		Message: "W1R3: Device " + username + " Authorized",
    131. 

  131. 		Response: models.SuccessfulUserLoginResponse{
    132. 

  132. 			AuthToken: jwt,
    133. 

  133. 			UserName:  username,
    134. 

  134. 		},
    135. 

  135. 	}
    136. 

  136. 	// Send back the JWT
    137. 

  137. 	successJSONResponse, jsonError := json.Marshal(successResponse)
    138. 

  138. 	if jsonError != nil {
    139. 

  139. 		logger.Log(0, username,
    140. 

  140. 			"error marshalling resp: ", jsonError.Error())
    141. 

  141. 		logic.ReturnErrorResponse(response, request, errorResponse)
    142. 

  142. 		return
    143. 

  143. 	}
    144. 

  144. 	logger.Log(2, username, "was authenticated")
    145. 

  145. 	response.Header().Set("Content-Type", "application/json")
    146. 

  146. 	response.Write(successJSONResponse)
    147. 

  147. 

  148. 	go func() {
    149. 

  149. 		if servercfg.IsPro && servercfg.GetRacAutoDisable() {
    150. 

  150. 			// enable all associeated clients for the user
    151. 

  151. 			clients, err := logic.GetAllExtClients()
    152. 

  152. 			if err != nil {
    153. 

  153. 				slog.Error("error getting clients: ", "error", err)
    154. 

  154. 				return
    155. 

  155. 			}
    156. 

  156. 			for _, client := range clients {
    157. 

  157. 				if client.OwnerID == username && !client.Enabled {
    158. 

  158. 					slog.Info(
    159. 

  159. 						fmt.Sprintf(
    160. 

  160. 							"enabling ext client %s for user %s due to RAC autodisabling feature",
    161. 

  161. 							client.ClientID,
    162. 

  162. 							client.OwnerID,
    163. 

  163. 						),
    164. 

  164. 					)
    165. 

  165. 					if newClient, err := logic.ToggleExtClientConnectivity(&client, true); err != nil {
    166. 

  166. 						slog.Error(
    167. 

  167. 							"error enabling ext client in RAC autodisable hook",
    168. 

  168. 							"error",
    169. 

  169. 							err,
    170. 

  170. 						)
    171. 

  171. 						continue // dont return but try for other clients
    172. 

  172. 					} else {
    173. 

  173. 						// publish peer update to ingress gateway
    174. 

  174. 						if ingressNode, err := logic.GetNodeByID(newClient.IngressGatewayID); err == nil {
    175. 

  175. 							if err = mq.PublishPeerUpdate(false); err != nil {
    176. 

  176. 								slog.Error("error updating ext clients on", "ingress", ingressNode.ID.String(), "err", err.Error())
    177. 

  177. 							}
    178. 

  178. 						}
    179. 

  179. 					}
    180. 

  180. 				}
    181. 

  181. 			}
    182. 

  182. 		}
    183. 

  183. 	}()
    184. 

  184. }
    185. 

  185. 

  186. // @Summary     Check if the server has a super admin
    187. 

  187. // @Router      /api/users/adm/hassuperadmin [get]
    188. 

  188. // @Tags        Users
    189. 

  189. // @Success     200 {object} bool
    190. 

  190. // @Failure     500 {object} models.ErrorResponse
    191. 

  191. func hasSuperAdmin(w http.ResponseWriter, r *http.Request) {
    192. 

  192. 

  193. 	w.Header().Set("Content-Type", "application/json")
    194. 

  194. 

  195. 	hasSuperAdmin, err := logic.HasSuperAdmin()
    196. 

  196. 	if err != nil {
    197. 

  197. 		logger.Log(0, "failed to check for admin: ", err.Error())
    198. 

  198. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    199. 

  199. 		return
    200. 

  200. 	}
    201. 

  201. 

  202. 	json.NewEncoder(w).Encode(hasSuperAdmin)
    203. 

  203. 

  204. }
    205. 

  205. 

  206. // @Summary     Get an individual user
    207. 

  207. // @Router      /api/users/{username} [get]
    208. 

  208. // @Tags        Users
    209. 

  209. // @Param       username path string true "Username of the user to fetch"
    210. 

  210. // @Success     200 {object} models.User
    211. 

  211. // @Failure     500 {object} models.ErrorResponse
    212. 

  212. func getUser(w http.ResponseWriter, r *http.Request) {
    213. 

  213. 	// set header.
    214. 

  214. 	w.Header().Set("Content-Type", "application/json")
    215. 

  215. 

  216. 	var params = mux.Vars(r)
    217. 

  217. 	usernameFetched := params["username"]
    218. 

  218. 	user, err := logic.GetReturnUser(usernameFetched)
    219. 

  219. 

  220. 	if err != nil {
    221. 

  221. 		logger.Log(0, usernameFetched, "failed to fetch user: ", err.Error())
    222. 

  222. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    223. 

  223. 		return
    224. 

  224. 	}
    225. 

  225. 	logger.Log(2, r.Header.Get("user"), "fetched user", usernameFetched)
    226. 

  226. 	json.NewEncoder(w).Encode(user)
    227. 

  227. }
    228. 

  228. 

  229. // swagger:route GET /api/v1/users user getUserV1
    230. 

  230. //
    231. 

  231. // Get an individual user with role info.
    232. 

  232. //
    233. 

  233. //			Schemes: https
    234. 

  234. //
    235. 

  235. //			Security:
    236. 

  236. //	  		oauth
    237. 

  237. //
    238. 

  238. //			Responses:
    239. 

  239. //				200: ReturnUserWithRolesAndGroups
    240. 

  240. func getUserV1(w http.ResponseWriter, r *http.Request) {
    241. 

  241. 	// set header.
    242. 

  242. 	w.Header().Set("Content-Type", "application/json")
    243. 

  243. 	usernameFetched, _ := url.QueryUnescape(r.URL.Query().Get("username"))
    244. 

  244. 	if usernameFetched == "" {
    245. 

  245. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("username is required"), "badrequest"))
    246. 

  246. 		return
    247. 

  247. 	}
    248. 

  248. 	user, err := logic.GetReturnUser(usernameFetched)
    249. 

  249. 	if err != nil {
    250. 

  250. 		logger.Log(0, usernameFetched, "failed to fetch user: ", err.Error())
    251. 

  251. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    252. 

  252. 		return
    253. 

  253. 	}
    254. 

  254. 	userRoleTemplate, err := logic.GetRole(user.PlatformRoleID)
    255. 

  255. 	if err != nil {
    256. 

  256. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    257. 

  257. 		return
    258. 

  258. 	}
    259. 

  259. 	resp := models.ReturnUserWithRolesAndGroups{
    260. 

  260. 		ReturnUser:   user,
    261. 

  261. 		PlatformRole: userRoleTemplate,
    262. 

  262. 	}
    263. 

  263. 	logger.Log(2, r.Header.Get("user"), "fetched user", usernameFetched)
    264. 

  264. 	logic.ReturnSuccessResponseWithJson(w, r, resp, "fetched user with role info")
    265. 

  265. }
    266. 

  266. 

  267. // swagger:route GET /api/users user getUsers
    268. 

  268. //
    269. 

  269. // Get all users.
    270. 

  270. //
    271. 

  271. //			Schemes: https
    272. 

  272. //
    273. 

  273. //			Security:
    274. 

  274. //	  		oauth
    275. 

  275. //
    276. 

  276. //			Responses:
    277. 

  277. //				200: userBodyResponse
    278. 

  278. func getUsers(w http.ResponseWriter, r *http.Request) {
    279. 

  279. 	// set header.
    280. 

  280. 	w.Header().Set("Content-Type", "application/json")
    281. 

  281. 

  282. 	users, err := logic.GetUsers()
    283. 

  283. 

  284. 	if err != nil {
    285. 

  285. 		logger.Log(0, "failed to fetch users: ", err.Error())
    286. 

  286. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    287. 

  287. 		return
    288. 

  288. 	}
    289. 

  289. 

  290. 	logic.SortUsers(users[:])
    291. 

  291. 	logger.Log(2, r.Header.Get("user"), "fetched users")
    292. 

  292. 	json.NewEncoder(w).Encode(users)
    293. 

  293. }
    294. 

  294. 

  295. // @Summary     Create a super admin
    296. 

  296. // @Router      /api/users/adm/createsuperadmin [post]
    297. 

  297. // @Tags        Users
    298. 

  298. // @Param       body body models.User true "User details"
    299. 

  299. // @Success     200 {object} models.User
    300. 

  300. // @Failure     400 {object} models.ErrorResponse
    301. 

  301. // @Failure     500 {object} models.ErrorResponse
    302. 

  302. func createSuperAdmin(w http.ResponseWriter, r *http.Request) {
    303. 

  303. 	w.Header().Set("Content-Type", "application/json")
    304. 

  304. 

  305. 	var u models.User
    306. 

  306. 

  307. 	err := json.NewDecoder(r.Body).Decode(&u)
    308. 

  308. 	if err != nil {
    309. 

  309. 		slog.Error("error decoding request body", "error", err.Error())
    310. 

  310. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    311. 

  311. 		return
    312. 

  312. 	}
    313. 

  313. 

  314. 	if !servercfg.IsBasicAuthEnabled() {
    315. 

  315. 		logic.ReturnErrorResponse(
    316. 

  316. 			w,
    317. 

  317. 			r,
    318. 

  318. 			logic.FormatError(fmt.Errorf("basic auth is disabled"), "badrequest"),
    319. 

  319. 		)
    320. 

  320. 		return
    321. 

  321. 	}
    322. 

  322. 

  323. 	err = logic.CreateSuperAdmin(&u)
    324. 

  324. 	if err != nil {
    325. 

  325. 		slog.Error("failed to create admin", "error", err.Error())
    326. 

  326. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    327. 

  327. 		return
    328. 

  328. 	}
    329. 

  329. 	logger.Log(1, u.UserName, "was made a super admin")
    330. 

  330. 	json.NewEncoder(w).Encode(logic.ToReturnUser(u))
    331. 

  331. }
    332. 

  332. 

  333. // @Summary     Transfer super admin role to another admin user
    334. 

  334. // @Router      /api/users/adm/transfersuperadmin/{username} [post]
    335. 

  335. // @Tags        Users
    336. 

  336. // @Param       username path string true "Username of the user to transfer super admin role"
    337. 

  337. // @Success     200 {object} models.User
    338. 

  338. // @Failure     403 {object} models.ErrorResponse
    339. 

  339. // @Failure     500 {object} models.ErrorResponse
    340. 

  340. func transferSuperAdmin(w http.ResponseWriter, r *http.Request) {
    341. 

  341. 	w.Header().Set("Content-Type", "application/json")
    342. 

  342. 	caller, err := logic.GetUser(r.Header.Get("user"))
    343. 

  343. 	if err != nil {
    344. 

  344. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    345. 

  345. 	}
    346. 

  346. 	if caller.PlatformRoleID != models.SuperAdminRole {
    347. 

  347. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("only superadmin can assign the superadmin role to another user"), "forbidden"))
    348. 

  348. 		return
    349. 

  349. 	}
    350. 

  350. 	var params = mux.Vars(r)
    351. 

  351. 	username := params["username"]
    352. 

  352. 	u, err := logic.GetUser(username)
    353. 

  353. 	if err != nil {
    354. 

  354. 		slog.Error("error getting user", "user", u.UserName, "error", err.Error())
    355. 

  355. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    356. 

  356. 		return
    357. 

  357. 	}
    358. 

  358. 	if u.PlatformRoleID != models.AdminRole {
    359. 

  359. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("only admins can be promoted to superadmin role"), "forbidden"))
    360. 

  360. 		return
    361. 

  361. 	}
    362. 

  362. 	if !servercfg.IsBasicAuthEnabled() {
    363. 

  363. 		logic.ReturnErrorResponse(
    364. 

  364. 			w,
    365. 

  365. 			r,
    366. 

  366. 			logic.FormatError(fmt.Errorf("basic auth is disabled"), "badrequest"),
    367. 

  367. 		)
    368. 

  368. 		return
    369. 

  369. 	}
    370. 

  370. 

  371. 	u.PlatformRoleID = models.SuperAdminRole
    372. 

  372. 	err = logic.UpsertUser(*u)
    373. 

  373. 	if err != nil {
    374. 

  374. 		slog.Error("error updating user to superadmin: ", "user", u.UserName, "error", err.Error())
    375. 

  375. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    376. 

  376. 		return
    377. 

  377. 	}
    378. 

  378. 	caller.PlatformRoleID = models.AdminRole
    379. 

  379. 	err = logic.UpsertUser(*caller)
    380. 

  380. 	if err != nil {
    381. 

  381. 		slog.Error("error demoting user to admin: ", "user", caller.UserName, "error", err.Error())
    382. 

  382. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    383. 

  383. 		return
    384. 

  384. 	}
    385. 

  385. 	slog.Info("user was made a super admin", "user", u.UserName)
    386. 

  386. 	json.NewEncoder(w).Encode(logic.ToReturnUser(*u))
    387. 

  387. }
    388. 

  388. 

  389. // @Summary     Create a user
    390. 

  390. // @Router      /api/users/{username} [post]
    391. 

  391. // @Tags        Users
    392. 

  392. // @Param       username path string true "Username of the user to create"
    393. 

  393. // @Param       body body models.User true "User details"
    394. 

  394. // @Success     200 {object} models.User
    395. 

  395. // @Failure     400 {object} models.ErrorResponse
    396. 

  396. // @Failure     403 {object} models.ErrorResponse
    397. 

  397. // @Failure     500 {object} models.ErrorResponse
    398. 

  398. func createUser(w http.ResponseWriter, r *http.Request) {
    399. 

  399. 	w.Header().Set("Content-Type", "application/json")
    400. 

  400. 	caller, err := logic.GetUser(r.Header.Get("user"))
    401. 

  401. 	if err != nil {
    402. 

  402. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    403. 

  403. 		return
    404. 

  404. 	}
    405. 

  405. 	var user models.User
    406. 

  406. 	err = json.NewDecoder(r.Body).Decode(&user)
    407. 

  407. 	if err != nil {
    408. 

  408. 		logger.Log(0, user.UserName, "error decoding request body: ",
    409. 

  409. 			err.Error())
    410. 

  410. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    411. 

  411. 		return
    412. 

  412. 	}
    413. 

  413. 	if !servercfg.IsPro {
    414. 

  414. 		user.PlatformRoleID = models.AdminRole
    415. 

  415. 	}
    416. 

  416. 

  417. 	if user.PlatformRoleID == "" {
    418. 

  418. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("platform role is missing"), "badrequest"))
    419. 

  419. 		return
    420. 

  420. 	}
    421. 

  421. 	userRole, err := logic.GetRole(user.PlatformRoleID)
    422. 

  422. 	if err != nil {
    423. 

  423. 		err = errors.New("error fetching role " + user.PlatformRoleID.String() + " " + err.Error())
    424. 

  424. 		slog.Error("error creating new user: ", "user", user.UserName, "error", err)
    425. 

  425. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    426. 

  426. 		return
    427. 

  427. 	}
    428. 

  428. 	if userRole.ID == models.SuperAdminRole {
    429. 

  429. 		err = errors.New("additional superadmins cannot be created")
    430. 

  430. 		slog.Error("error creating new user: ", "user", user.UserName, "error", err)
    431. 

  431. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    432. 

  432. 		return
    433. 

  433. 	}
    434. 

  434. 

  435. 	if caller.PlatformRoleID != models.SuperAdminRole && user.PlatformRoleID == models.AdminRole {
    436. 

  436. 		err = errors.New("only superadmin can create admin users")
    437. 

  437. 		slog.Error("error creating new user: ", "user", user.UserName, "error", err)
    438. 

  438. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    439. 

  439. 		return
    440. 

  440. 	}
    441. 

  441. 

  442. 	if !servercfg.IsPro && user.PlatformRoleID != models.AdminRole {
    443. 

  443. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("non-admins users can only be created on Pro version"), "forbidden"))
    444. 

  444. 		return
    445. 

  445. 	}
    446. 

  446. 

  447. 	err = logic.CreateUser(&user)
    448. 

  448. 	if err != nil {
    449. 

  449. 		slog.Error("error creating new user: ", "user", user.UserName, "error", err.Error())
    450. 

  450. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    451. 

  451. 		return
    452. 

  452. 	}
    453. 

  453. 	logic.DeleteUserInvite(user.UserName)
    454. 

  454. 	logic.DeletePendingUser(user.UserName)
    455. 

  455. 	slog.Info("user was created", "username", user.UserName)
    456. 

  456. 	json.NewEncoder(w).Encode(logic.ToReturnUser(user))
    457. 

  457. }
    458. 

  458. 

  459. // @Summary     Update a user
    460. 

  460. // @Router      /api/users/{username} [put]
    461. 

  461. // @Tags        Users
    462. 

  462. // @Param       username path string true "Username of the user to update"
    463. 

  463. // @Param       body body models.User true "User details"
    464. 

  464. // @Success     200 {object} models.User
    465. 

  465. // @Failure     400 {object} models.ErrorResponse
    466. 

  466. // @Failure     403 {object} models.ErrorResponse
    467. 

  467. // @Failure     500 {object} models.ErrorResponse
    468. 

  468. func updateUser(w http.ResponseWriter, r *http.Request) {
    469. 

  469. 	w.Header().Set("Content-Type", "application/json")
    470. 

  470. 	var params = mux.Vars(r)
    471. 

  471. 	// start here
    472. 

  472. 	var caller *models.User
    473. 

  473. 	var err error
    474. 

  474. 	var ismaster bool
    475. 

  475. 	if r.Header.Get("user") == logic.MasterUser {
    476. 

  476. 		ismaster = true
    477. 

  477. 	} else {
    478. 

  478. 		caller, err = logic.GetUser(r.Header.Get("user"))
    479. 

  479. 		if err != nil {
    480. 

  480. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    481. 

  481. 		}
    482. 

  482. 	}
    483. 

  483. 

  484. 	username := params["username"]
    485. 

  485. 	user, err := logic.GetUser(username)
    486. 

  486. 	if err != nil {
    487. 

  487. 		logger.Log(0, username,
    488. 

  488. 			"failed to update user info: ", err.Error())
    489. 

  489. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    490. 

  490. 		return
    491. 

  491. 	}
    492. 

  492. 	var userchange models.User
    493. 

  493. 	// we decode our body request params
    494. 

  494. 	err = json.NewDecoder(r.Body).Decode(&userchange)
    495. 

  495. 	if err != nil {
    496. 

  496. 		slog.Error("failed to decode body", "error ", err.Error())
    497. 

  497. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    498. 

  498. 		return
    499. 

  499. 	}
    500. 

  500. 	if user.UserName != userchange.UserName {
    501. 

  501. 		logic.ReturnErrorResponse(
    502. 

  502. 			w,
    503. 

  503. 			r,
    504. 

  504. 			logic.FormatError(
    505. 

  505. 				errors.New("user in param and request body not matching"),
    506. 

  506. 				"badrequest",
    507. 

  507. 			),
    508. 

  508. 		)
    509. 

  509. 		return
    510. 

  510. 	}
    511. 

  511. 	selfUpdate := false
    512. 

  512. 	if !ismaster && caller.UserName == user.UserName {
    513. 

  513. 		selfUpdate = true
    514. 

  514. 	}
    515. 

  515. 

  516. 	if !ismaster && !selfUpdate {
    517. 

  517. 		if caller.PlatformRoleID == models.AdminRole && user.PlatformRoleID == models.SuperAdminRole {
    518. 

  518. 			slog.Error("non-superadmin user", "caller", caller.UserName, "attempted to update superadmin user", username)
    519. 

  519. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot update superadmin user"), "forbidden"))
    520. 

  520. 			return
    521. 

  521. 		}
    522. 

  522. 		if caller.PlatformRoleID != models.AdminRole && caller.PlatformRoleID != models.SuperAdminRole {
    523. 

  523. 			slog.Error("operation not allowed", "caller", caller.UserName, "attempted to update user", username)
    524. 

  524. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot update superadmin user"), "forbidden"))
    525. 

  525. 			return
    526. 

  526. 		}
    527. 

  527. 		if caller.PlatformRoleID == models.AdminRole && user.PlatformRoleID == models.AdminRole {
    528. 

  528. 			slog.Error("admin user cannot update another admin", "caller", caller.UserName, "attempted to update admin user", username)
    529. 

  529. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("admin user cannot update another admin"), "forbidden"))
    530. 

  530. 			return
    531. 

  531. 		}
    532. 

  532. 		if caller.PlatformRoleID == models.AdminRole && userchange.PlatformRoleID == models.AdminRole {
    533. 

  533. 			err = errors.New("admin user cannot update role of an another user to admin")
    534. 

  534. 			slog.Error(
    535. 

  535. 				"failed to update user",
    536. 

  536. 				"caller",
    537. 

  537. 				caller.UserName,
    538. 

  538. 				"attempted to update user",
    539. 

  539. 				username,
    540. 

  540. 				"error",
    541. 

  541. 				err,
    542. 

  542. 			)
    543. 

  543. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    544. 

  544. 			return
    545. 

  545. 		}
    546. 

  546. 

  547. 	}
    548. 

  548. 	if !ismaster && selfUpdate {
    549. 

  549. 		if user.PlatformRoleID != userchange.PlatformRoleID {
    550. 

  550. 			slog.Error("user cannot change his own role", "caller", caller.UserName, "attempted to update user role", username)
    551. 

  551. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("user not allowed to self assign role"), "forbidden"))
    552. 

  552. 			return
    553. 

  553. 

  554. 		}
    555. 

  555. 		if servercfg.IsPro {
    556. 

  556. 			// user cannot update his own roles and groups
    557. 

  557. 			if len(user.NetworkRoles) != len(userchange.NetworkRoles) || !reflect.DeepEqual(user.NetworkRoles, userchange.NetworkRoles) {
    558. 

  558. 				err = errors.New("user cannot update self update their network roles")
    559. 

  559. 				slog.Error("failed to update user", "caller", caller.UserName, "attempted to update user", username, "error", err)
    560. 

  560. 				logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    561. 

  561. 				return
    562. 

  562. 			}
    563. 

  563. 			// user cannot update his own roles and groups
    564. 

  564. 			if len(user.UserGroups) != len(userchange.UserGroups) || !reflect.DeepEqual(user.UserGroups, userchange.UserGroups) {
    565. 

  565. 				err = errors.New("user cannot update self update their groups")
    566. 

  566. 				slog.Error("failed to update user", "caller", caller.UserName, "attempted to update user", username, "error", err)
    567. 

  567. 				logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    568. 

  568. 				return
    569. 

  569. 			}
    570. 

  570. 		}
    571. 

  571. 

  572. 	}
    573. 

  573. 	if ismaster {
    574. 

  574. 		if user.PlatformRoleID != models.SuperAdminRole && userchange.PlatformRoleID == models.SuperAdminRole {
    575. 

  575. 			slog.Error("operation not allowed", "caller", logic.MasterUser, "attempted to update user role to superadmin", username)
    576. 

  576. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("attempted to update user role to superadmin"), "forbidden"))
    577. 

  577. 			return
    578. 

  578. 		}
    579. 

  579. 	}
    580. 

  580. 

  581. 	if logic.IsOauthUser(user) == nil && userchange.Password != "" {
    582. 

  582. 		err := fmt.Errorf("cannot update user's password for an oauth user %s", username)
    583. 

  583. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    584. 

  584. 		return
    585. 

  585. 	}
    586. 

  586. 

  587. 	user, err = logic.UpdateUser(&userchange, user)
    588. 

  588. 	if err != nil {
    589. 

  589. 		logger.Log(0, username,
    590. 

  590. 			"failed to update user info: ", err.Error())
    591. 

  591. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    592. 

  592. 		return
    593. 

  593. 	}
    594. 

  594. 	logger.Log(1, username, "was updated")
    595. 

  595. 	json.NewEncoder(w).Encode(logic.ToReturnUser(*user))
    596. 

  596. }
    597. 

  597. 

  598. // @Summary     Delete a user
    599. 

  599. // @Router      /api/users/{username} [delete]
    600. 

  600. // @Tags        Users
    601. 

  601. // @Param       username path string true "Username of the user to delete"
    602. 

  602. // @Success     200 {string} string
    603. 

  603. // @Failure     500 {object} models.ErrorResponse
    604. 

  604. func deleteUser(w http.ResponseWriter, r *http.Request) {
    605. 

  605. 	// Set header
    606. 

  606. 	w.Header().Set("Content-Type", "application/json")
    607. 

  607. 

  608. 	// get params
    609. 

  609. 	var params = mux.Vars(r)
    610. 

  610. 	caller, err := logic.GetUser(r.Header.Get("user"))
    611. 

  611. 	if err != nil {
    612. 

  612. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    613. 

  613. 	}
    614. 

  614. 	callerUserRole, err := logic.GetRole(caller.PlatformRoleID)
    615. 

  615. 	if err != nil {
    616. 

  616. 		slog.Error("failed to get role ", "role", callerUserRole.ID, "error", err)
    617. 

  617. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    618. 

  618. 		return
    619. 

  619. 	}
    620. 

  620. 	username := params["username"]
    621. 

  621. 	user, err := logic.GetUser(username)
    622. 

  622. 	if err != nil {
    623. 

  623. 		logger.Log(0, username,
    624. 

  624. 			"failed to update user info: ", err.Error())
    625. 

  625. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    626. 

  626. 		return
    627. 

  627. 	}
    628. 

  628. 	userRole, err := logic.GetRole(user.PlatformRoleID)
    629. 

  629. 	if err != nil {
    630. 

  630. 		slog.Error("failed to get role ", "role", userRole.ID, "error", err)
    631. 

  631. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    632. 

  632. 		return
    633. 

  633. 	}
    634. 

  634. 	if userRole.ID == models.SuperAdminRole {
    635. 

  635. 		slog.Error(
    636. 

  636. 			"failed to delete user: ", "user", username, "error", "superadmin cannot be deleted")
    637. 

  637. 		logic.ReturnErrorResponse(
    638. 

  638. 			w,
    639. 

  639. 			r,
    640. 

  640. 			logic.FormatError(fmt.Errorf("superadmin cannot be deleted"), "internal"),
    641. 

  641. 		)
    642. 

  642. 		return
    643. 

  643. 	}
    644. 

  644. 	if callerUserRole.ID != models.SuperAdminRole {
    645. 

  645. 		if callerUserRole.ID == models.AdminRole && userRole.ID == models.AdminRole {
    646. 

  646. 			slog.Error(
    647. 

  647. 				"failed to delete user: ",
    648. 

  648. 				"user",
    649. 

  649. 				username,
    650. 

  650. 				"error",
    651. 

  651. 				"admin cannot delete another admin user, including oneself",
    652. 

  652. 			)
    653. 

  653. 			logic.ReturnErrorResponse(
    654. 

  654. 				w,
    655. 

  655. 				r,
    656. 

  656. 				logic.FormatError(
    657. 

  657. 					fmt.Errorf("admin cannot delete another admin user, including oneself"),
    658. 

  658. 					"internal",
    659. 

  659. 				),
    660. 

  660. 			)
    661. 

  661. 			return
    662. 

  662. 		}
    663. 

  663. 	}
    664. 

  664. 	success, err := logic.DeleteUser(username)
    665. 

  665. 	if err != nil {
    666. 

  666. 		logger.Log(0, username,
    667. 

  667. 			"failed to delete user: ", err.Error())
    668. 

  668. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    669. 

  669. 		return
    670. 

  670. 	} else if !success {
    671. 

  671. 		err := errors.New("delete unsuccessful")
    672. 

  672. 		logger.Log(0, username, err.Error())
    673. 

  673. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    674. 

  674. 		return
    675. 

  675. 	}
    676. 

  676. 	// check and delete extclient with this ownerID
    677. 

  677. 	go func() {
    678. 

  678. 		extclients, err := logic.GetAllExtClients()
    679. 

  679. 		if err != nil {
    680. 

  680. 			slog.Error("failed to get extclients", "error", err)
    681. 

  681. 			return
    682. 

  682. 		}
    683. 

  683. 		for _, extclient := range extclients {
    684. 

  684. 			if extclient.OwnerID == user.UserName {
    685. 

  685. 				err = logic.DeleteExtClientAndCleanup(extclient)
    686. 

  686. 				if err != nil {
    687. 

  687. 					slog.Error("failed to delete extclient",
    688. 

  688. 						"id", extclient.ClientID, "owner", username, "error", err)
    689. 

  689. 				} else {
    690. 

  690. 					if err := mq.PublishDeletedClientPeerUpdate(&extclient); err != nil {
    691. 

  691. 						slog.Error("error setting ext peers: " + err.Error())
    692. 

  692. 					}
    693. 

  693. 				}
    694. 

  694. 			}
    695. 

  695. 		}
    696. 

  696. 		if servercfg.IsDNSMode() {
    697. 

  697. 			logic.SetDNS()
    698. 

  698. 		}
    699. 

  699. 	}()
    700. 

  700. 	logger.Log(1, username, "was deleted")
    701. 

  701. 	json.NewEncoder(w).Encode(params["username"] + " deleted.")
    702. 

  702. }
    703. 

  703. 

  704. // Called when vpn client dials in to start the auth flow and first stage is to get register URL itself
    705. 

  705. func socketHandler(w http.ResponseWriter, r *http.Request) {
    706. 

  706. 	// Upgrade our raw HTTP connection to a websocket based one
    707. 

  707. 	conn, err := upgrader.Upgrade(w, r, nil)
    708. 

  708. 	if err != nil {
    709. 

  709. 		logger.Log(0, "error during connection upgrade for node sign-in:", err.Error())
    710. 

  710. 		return
    711. 

  711. 	}
    712. 

  712. 	if conn == nil {
    713. 

  713. 		logger.Log(0, "failed to establish web-socket connection during node sign-in")
    714. 

  714. 		return
    715. 

  715. 	}
    716. 

  716. 	// Start handling the session
    717. 

  717. 	go auth.SessionHandler(conn)
    718. 

  718. }
    719. 

  719. 

  720. // @Summary     lists all user roles.
    721. 

  721. // @Router      /api/v1/user/roles [get]
    722. 

  722. // @Tags        Users
    723. 

  723. // @Param       role_id param string true "roleid required to get the role details"
    724. 

  724. // @Success     200 {object}  []models.UserRolePermissionTemplate
    725. 

  725. // @Failure     500 {object} models.ErrorResponse
    726. 

  726. func listRoles(w http.ResponseWriter, r *http.Request) {
    727. 

  727. 	var roles []models.UserRolePermissionTemplate
    728. 

  728. 	var err error
    729. 

  729. 	roles, err = logic.ListPlatformRoles()
    730. 

  730. 	if err != nil {
    731. 

  731. 		logic.ReturnErrorResponse(w, r, models.ErrorResponse{
    732. 

  732. 			Code:    http.StatusInternalServerError,
    733. 

  733. 			Message: err.Error(),
    734. 

  734. 		})
    735. 

  735. 		return
    736. 

  736. 	}
    737. 

  737. 

  738. 	logic.ReturnSuccessResponseWithJson(w, r, roles, "successfully fetched user roles permission templates")
    739. 

  739. }
    740.