golang
/
netmaker
mirror of https://github.com/gravitl/netmaker


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480
							package controllers

import (
	"encoding/json"
	"errors"
	"fmt"
	"net/http"

	"github.com/gorilla/mux"
	"github.com/gravitl/netmaker/logger"
	"github.com/gravitl/netmaker/logic"
	"github.com/gravitl/netmaker/models"
	"github.com/gravitl/netmaker/mq"
	"github.com/gravitl/netmaker/pro/auth"
	"github.com/gravitl/netmaker/servercfg"
	"golang.org/x/exp/slog"
)

func UserHandlers(r *mux.Router) {
	r.HandleFunc("/api/users/{username}/remote_access_gw/{remote_access_gateway_id}", logic.SecurityCheck(true, http.HandlerFunc(attachUserToRemoteAccessGw))).
		Methods(http.MethodPost)
	r.HandleFunc("/api/users/{username}/remote_access_gw/{remote_access_gateway_id}", logic.SecurityCheck(true, http.HandlerFunc(removeUserFromRemoteAccessGW))).
		Methods(http.MethodDelete)
	r.HandleFunc("/api/users/{username}/remote_access_gw", logic.SecurityCheck(false, logic.ContinueIfUserMatch(http.HandlerFunc(getUserRemoteAccessGws)))).
		Methods(http.MethodGet)
	r.HandleFunc("/api/users/ingress/{ingress_id}", logic.SecurityCheck(true, http.HandlerFunc(ingressGatewayUsers))).
		Methods(http.MethodGet)
	r.HandleFunc("/api/oauth/login", auth.HandleAuthLogin).Methods(http.MethodGet)
	r.HandleFunc("/api/oauth/callback", auth.HandleAuthCallback).Methods(http.MethodGet)
	r.HandleFunc("/api/oauth/headless", auth.HandleHeadlessSSO)
	r.HandleFunc("/api/oauth/register/{regKey}", auth.RegisterHostSSO).Methods(http.MethodGet)
}

// @Summary     Attach user to a remote access gateway
// @Router      /api/users/{username}/remote_access_gw/{remote_access_gateway_id} [post]
// @Tags        PRO
// @Accept      json
// @Produce     json
// @Param       username path string true "Username"
// @Param       remote_access_gateway_id path string true "Remote Access Gateway ID"
// @Success     200 {object} models.ReturnUser
// @Failure     400 {object} models.ErrorResponse
// @Failure     500 {object} models.ErrorResponse
func attachUserToRemoteAccessGw(w http.ResponseWriter, r *http.Request) {
	// set header.
	w.Header().Set("Content-Type", "application/json")

	var params = mux.Vars(r)
	username := params["username"]
	remoteGwID := params["remote_access_gateway_id"]
	if username == "" || remoteGwID == "" {
		logic.ReturnErrorResponse(
			w,
			r,
			logic.FormatError(
				errors.New("required params `username` and `remote_access_gateway_id`"),
				"badrequest",
			),
		)
		return
	}
	user, err := logic.GetUser(username)
	if err != nil {
		slog.Error("failed to fetch user: ", "username", username, "error", err.Error())
		logic.ReturnErrorResponse(
			w,
			r,
			logic.FormatError(
				fmt.Errorf("failed to fetch user %s, error: %v", username, err),
				"badrequest",
			),
		)
		return
	}
	if user.IsAdmin || user.IsSuperAdmin {
		logic.ReturnErrorResponse(
			w,
			r,
			logic.FormatError(
				errors.New("superadmins/admins have access to all gateways"),
				"badrequest",
			),
		)
		return
	}
	node, err := logic.GetNodeByID(remoteGwID)
	if err != nil {
		slog.Error("failed to fetch gateway node", "nodeID", remoteGwID, "error", err)
		logic.ReturnErrorResponse(
			w,
			r,
			logic.FormatError(
				fmt.Errorf("failed to fetch remote access gateway node, error: %v", err),
				"badrequest",
			),
		)
		return
	}
	if !node.IsIngressGateway {
		logic.ReturnErrorResponse(
			w,
			r,
			logic.FormatError(fmt.Errorf("node is not a remote access gateway"), "badrequest"),
		)
		return
	}
	if user.RemoteGwIDs == nil {
		user.RemoteGwIDs = make(map[string]struct{})
	}
	user.RemoteGwIDs[node.ID.String()] = struct{}{}
	err = logic.UpsertUser(*user)
	if err != nil {
		slog.Error("failed to update user's gateways", "user", username, "error", err)
		logic.ReturnErrorResponse(
			w,
			r,
			logic.FormatError(
				fmt.Errorf("failed to fetch remote access gateway node,error: %v", err),
				"badrequest",
			),
		)
		return
	}

	json.NewEncoder(w).Encode(logic.ToReturnUser(*user))
}

// @Summary     Remove user from a remote access gateway
// @Router      /api/users/{username}/remote_access_gw/{remote_access_gateway_id} [delete]
// @Tags        PRO
// @Accept      json
// @Produce     json
// @Param       username path string true "Username"
// @Param       remote_access_gateway_id path string true "Remote Access Gateway ID"
// @Success     200 {object} models.ReturnUser
// @Failure     400 {object} models.ErrorResponse
// @Failure     500 {object} models.ErrorResponse
func removeUserFromRemoteAccessGW(w http.ResponseWriter, r *http.Request) {
	// set header.
	w.Header().Set("Content-Type", "application/json")

	var params = mux.Vars(r)
	username := params["username"]
	remoteGwID := params["remote_access_gateway_id"]
	if username == "" || remoteGwID == "" {
		logic.ReturnErrorResponse(
			w,
			r,
			logic.FormatError(
				errors.New("required params `username` and `remote_access_gateway_id`"),
				"badrequest",
			),
		)
		return
	}
	user, err := logic.GetUser(username)
	if err != nil {
		logger.Log(0, username, "failed to fetch user: ", err.Error())
		logic.ReturnErrorResponse(
			w,
			r,
			logic.FormatError(
				fmt.Errorf("failed to fetch user %s, error: %v", username, err),
				"badrequest",
			),
		)
		return
	}
	delete(user.RemoteGwIDs, remoteGwID)
	go func(user models.User, remoteGwID string) {
		extclients, err := logic.GetAllExtClients()
		if err != nil {
			slog.Error("failed to fetch extclients", "error", err)
			return
		}
		for _, extclient := range extclients {
			if extclient.OwnerID == user.UserName && remoteGwID == extclient.IngressGatewayID {
				err = logic.DeleteExtClientAndCleanup(extclient)
				if err != nil {
					slog.Error("failed to delete extclient",
						"id", extclient.ClientID, "owner", user.UserName, "error", err)
				} else {
					if err := mq.PublishDeletedClientPeerUpdate(&extclient); err != nil {
						slog.Error("error setting ext peers: " + err.Error())
					}
				}
			}
		}
		if servercfg.IsDNSMode() {
			logic.SetDNS()
		}
	}(*user, remoteGwID)

	err = logic.UpsertUser(*user)
	if err != nil {
		slog.Error("failed to update user gateways", "user", username, "error", err)
		logic.ReturnErrorResponse(
			w,
			r,
			logic.FormatError(
				errors.New("failed to fetch remote access gaetway node "+err.Error()),
				"badrequest",
			),
		)
		return
	}
	json.NewEncoder(w).Encode(logic.ToReturnUser(*user))
}

// @Summary     Get user's remote access gateways
// @Router      /api/users/{username}/remote_access_gw [get]
// @Tags        PRO
// @Accept      json
// @Produce     json
// @Param       username path string true "Username"
// @Param       remote_access_clientid query string false "Remote Access Client ID"
// @Param       from_mobile query boolean false "Request from mobile"
// @Success     200 {array} models.UserRemoteGws
// @Failure     400 {object} models.ErrorResponse
// @Failure     500 {object} models.ErrorResponse
func getUserRemoteAccessGws(w http.ResponseWriter, r *http.Request) {
	// set header.
	w.Header().Set("Content-Type", "application/json")

	var params = mux.Vars(r)
	username := params["username"]
	if username == "" {
		logic.ReturnErrorResponse(
			w,
			r,
			logic.FormatError(errors.New("required params username"), "badrequest"),
		)
		return
	}
	remoteAccessClientID := r.URL.Query().Get("remote_access_clientid")
	var req models.UserRemoteGwsReq
	if remoteAccessClientID == "" {
		err := json.NewDecoder(r.Body).Decode(&req)
		if err != nil {
			slog.Error("error decoding request body: ", "error", err)
			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
			return
		}
	}
	reqFromMobile := r.URL.Query().Get("from_mobile") == "true"
	if req.RemoteAccessClientID == "" && remoteAccessClientID == "" {
		logic.ReturnErrorResponse(
			w,
			r,
			logic.FormatError(errors.New("remote access client id cannot be empty"), "badrequest"),
		)
		return
	}
	if req.RemoteAccessClientID == "" {
		req.RemoteAccessClientID = remoteAccessClientID
	}
	userGws := make(map[string][]models.UserRemoteGws)
	user, err := logic.GetUser(username)
	if err != nil {
		logger.Log(0, username, "failed to fetch user: ", err.Error())
		logic.ReturnErrorResponse(
			w,
			r,
			logic.FormatError(
				fmt.Errorf("failed to fetch user %s, error: %v", username, err),
				"badrequest",
			),
		)
		return
	}
	allextClients, err := logic.GetAllExtClients()
	if err != nil {
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
		return
	}

	processedAdminNodeIds := make(map[string]struct{})
	for _, extClient := range allextClients {
		if extClient.RemoteAccessClientID == req.RemoteAccessClientID &&
			extClient.OwnerID == username {
			node, err := logic.GetNodeByID(extClient.IngressGatewayID)
			if err != nil {
				continue
			}
			if node.PendingDelete {
				continue
			}
			if !node.IsIngressGateway {
				continue
			}
			host, err := logic.GetHost(node.HostID.String())
			if err != nil {
				continue
			}
			network, err := logic.GetNetwork(node.Network)
			if err != nil {
				slog.Error("failed to get node network", "error", err)
			}

			if _, ok := user.RemoteGwIDs[node.ID.String()]; (!user.IsAdmin && !user.IsSuperAdmin) &&
				ok {
				gws := userGws[node.Network]
				extClient.AllowedIPs = logic.GetExtclientAllowedIPs(extClient)
				gws = append(gws, models.UserRemoteGws{
					GwID:              node.ID.String(),
					GWName:            host.Name,
					Network:           node.Network,
					GwClient:          extClient,
					Connected:         true,
					IsInternetGateway: node.IsInternetGateway,
					GwPeerPublicKey:   host.PublicKey.String(),
					GwListenPort:      logic.GetPeerListenPort(host),
					Metadata:          node.Metadata,
					AllowedEndpoints:  getAllowedRagEndpoints(&node, host),
					NetworkAddresses:  []string{network.AddressRange, network.AddressRange6},
				})
				userGws[node.Network] = gws
				delete(user.RemoteGwIDs, node.ID.String())
			} else {
				gws := userGws[node.Network]
				extClient.AllowedIPs = logic.GetExtclientAllowedIPs(extClient)
				gws = append(gws, models.UserRemoteGws{
					GwID:              node.ID.String(),
					GWName:            host.Name,
					Network:           node.Network,
					GwClient:          extClient,
					Connected:         true,
					IsInternetGateway: node.IsInternetGateway,
					GwPeerPublicKey:   host.PublicKey.String(),
					GwListenPort:      logic.GetPeerListenPort(host),
					Metadata:          node.Metadata,
					AllowedEndpoints:  getAllowedRagEndpoints(&node, host),
					NetworkAddresses:  []string{network.AddressRange, network.AddressRange6},
				})
				userGws[node.Network] = gws
				processedAdminNodeIds[node.ID.String()] = struct{}{}
			}
		}
	}

	// add remaining gw nodes to resp
	if !user.IsAdmin && !user.IsSuperAdmin {
		for gwID := range user.RemoteGwIDs {
			node, err := logic.GetNodeByID(gwID)
			if err != nil {
				continue
			}
			if !node.IsIngressGateway {
				continue
			}
			if node.PendingDelete {
				continue
			}
			host, err := logic.GetHost(node.HostID.String())
			if err != nil {
				continue
			}
			network, err := logic.GetNetwork(node.Network)
			if err != nil {
				slog.Error("failed to get node network", "error", err)
			}
			gws := userGws[node.Network]

			gws = append(gws, models.UserRemoteGws{
				GwID:              node.ID.String(),
				GWName:            host.Name,
				Network:           node.Network,
				IsInternetGateway: node.IsInternetGateway,
				GwPeerPublicKey:   host.PublicKey.String(),
				GwListenPort:      logic.GetPeerListenPort(host),
				Metadata:          node.Metadata,
				AllowedEndpoints:  getAllowedRagEndpoints(&node, host),
				NetworkAddresses:  []string{network.AddressRange, network.AddressRange6},
			})
			userGws[node.Network] = gws
		}
	} else {
		allNodes, err := logic.GetAllNodes()
		if err != nil {
			slog.Error("failed to fetch all nodes", "error", err)
			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
			return
		}
		for _, node := range allNodes {
			_, ok := processedAdminNodeIds[node.ID.String()]
			if node.IsIngressGateway && !node.PendingDelete && !ok {
				host, err := logic.GetHost(node.HostID.String())
				if err != nil {
					slog.Error("failed to fetch host", "error", err)
					continue
				}
				network, err := logic.GetNetwork(node.Network)
				if err != nil {
					slog.Error("failed to get node network", "error", err)
				}
				gws := userGws[node.Network]

				gws = append(gws, models.UserRemoteGws{
					GwID:              node.ID.String(),
					GWName:            host.Name,
					Network:           node.Network,
					IsInternetGateway: node.IsInternetGateway,
					GwPeerPublicKey:   host.PublicKey.String(),
					GwListenPort:      logic.GetPeerListenPort(host),
					Metadata:          node.Metadata,
					AllowedEndpoints:  getAllowedRagEndpoints(&node, host),
					NetworkAddresses:  []string{network.AddressRange, network.AddressRange6},
				})
				userGws[node.Network] = gws
			}
		}
	}
	if reqFromMobile {
		// send resp in array format
		userGwsArr := []models.UserRemoteGws{}
		for _, userGwI := range userGws {
			userGwsArr = append(userGwsArr, userGwI...)
		}
		logic.ReturnSuccessResponseWithJson(w, r, userGwsArr, "fetched gateways for user"+username)
		return
	}
	slog.Debug("returned user gws", "user", username, "gws", userGws)
	w.WriteHeader(http.StatusOK)
	json.NewEncoder(w).Encode(userGws)
}

// @Summary     List users attached to an remote access gateway
// @Router      /api/nodes/{network}/{nodeid}/ingress/users [get]
// @Tags        PRO
// @Accept      json
// @Produce     json
// @Param       ingress_id path string true "Ingress Gateway ID"
// @Success     200 {array} models.IngressGwUsers
// @Failure     400 {object} models.ErrorResponse
// @Failure     500 {object} models.ErrorResponse
func ingressGatewayUsers(w http.ResponseWriter, r *http.Request) {
	w.Header().Set("Content-Type", "application/json")
	var params = mux.Vars(r)
	ingressID := params["ingress_id"]
	node, err := logic.GetNodeByID(ingressID)
	if err != nil {
		slog.Error("failed to get ingress node", "error", err)
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
		return
	}
	gwUsers, err := logic.GetIngressGwUsers(node)
	if err != nil {
		slog.Error(
			"failed to get users on ingress gateway",
			"nodeid",
			ingressID,
			"network",
			node.Network,
			"user",
			r.Header.Get("user"),
			"error",
			err,
		)
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
		return
	}
	w.WriteHeader(http.StatusOK)
	json.NewEncoder(w).Encode(gwUsers)
}

func getAllowedRagEndpoints(ragNode *models.Node, ragHost *models.Host) []string {
	endpoints := []string{}
	if len(ragHost.EndpointIP) > 0 {
		endpoints = append(endpoints, ragHost.EndpointIP.String())
	}
	if len(ragHost.EndpointIPv6) > 0 {
		endpoints = append(endpoints, ragHost.EndpointIPv6.String())
	}
	if servercfg.IsPro {
		for _, ip := range ragNode.AdditionalRagIps {
			endpoints = append(endpoints, ip.String())
		}
	}
	return endpoints
}