Trang chủ Khám phá Trợ giúp
Đăng nhập
golang
/
netmaker
mirror of https://github.com/gravitl/netmaker
2
0
Fork 0
Các tập tin Các vấn đề 0 Wiki
Branch: NET-1932-acl-pro
Branches Tags
netmaker
/
controllers
/
user.go

user.go 31 KB
Permalink Lịch sử Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904 
  1. package controller
    2. 

  2. 

  3. import (
    4. 

  4. 	"encoding/json"
    5. 

  5. 	"errors"
    6. 

  6. 	"fmt"
    7. 

  7. 	"net/http"
    8. 

  8. 	"reflect"
    9. 

  9. 	"time"
    10. 

  10. 

  11. 	"github.com/google/uuid"
    12. 

  12. 	"github.com/gorilla/mux"
    13. 

  13. 	"github.com/gorilla/websocket"
    14. 

  14. 	"github.com/gravitl/netmaker/auth"
    15. 

  15. 	"github.com/gravitl/netmaker/logger"
    16. 

  16. 	"github.com/gravitl/netmaker/logic"
    17. 

  17. 	"github.com/gravitl/netmaker/models"
    18. 

  18. 	"github.com/gravitl/netmaker/mq"
    19. 

  19. 	"github.com/gravitl/netmaker/schema"
    20. 

  20. 	"github.com/gravitl/netmaker/servercfg"
    21. 

  21. 	"golang.org/x/exp/slog"
    22. 

  22. )
    23. 

  23. 

  24. var (
    25. 

  25. 	upgrader = websocket.Upgrader{}
    26. 

  26. )
    27. 

  27. 

  28. var ListRoles = listRoles
    29. 

  29. 

  30. func userHandlers(r *mux.Router) {
    31. 

  31. 	r.HandleFunc("/api/users/adm/hassuperadmin", hasSuperAdmin).Methods(http.MethodGet)
    32. 

  32. 	r.HandleFunc("/api/users/adm/createsuperadmin", createSuperAdmin).Methods(http.MethodPost)
    33. 

  33. 	r.HandleFunc("/api/users/adm/transfersuperadmin/{username}", logic.SecurityCheck(true, http.HandlerFunc(transferSuperAdmin))).
    34. 

  34. 		Methods(http.MethodPost)
    35. 

  35. 	r.HandleFunc("/api/users/adm/authenticate", authenticateUser).Methods(http.MethodPost)
    36. 

  36. 	r.HandleFunc("/api/users/{username}", logic.SecurityCheck(true, http.HandlerFunc(updateUser))).Methods(http.MethodPut)
    37. 

  37. 	r.HandleFunc("/api/users/{username}", logic.SecurityCheck(true, checkFreeTierLimits(limitChoiceUsers, http.HandlerFunc(createUser)))).Methods(http.MethodPost)
    38. 

  38. 	r.HandleFunc("/api/users/{username}", logic.SecurityCheck(true, http.HandlerFunc(deleteUser))).Methods(http.MethodDelete)
    39. 

  39. 	r.HandleFunc("/api/users/{username}", logic.SecurityCheck(false, logic.ContinueIfUserMatch(http.HandlerFunc(getUser)))).Methods(http.MethodGet)
    40. 

  40. 	r.HandleFunc("/api/v1/users", logic.SecurityCheck(false, logic.ContinueIfUserMatch(http.HandlerFunc(getUserV1)))).Methods(http.MethodGet)
    41. 

  41. 	r.HandleFunc("/api/users", logic.SecurityCheck(true, http.HandlerFunc(getUsers))).Methods(http.MethodGet)
    42. 

  42. 	r.HandleFunc("/api/v1/users/roles", logic.SecurityCheck(true, http.HandlerFunc(ListRoles))).Methods(http.MethodGet)
    43. 

  43. 	r.HandleFunc("/api/v1/users/access_token", logic.SecurityCheck(true, http.HandlerFunc(createUserAccessToken))).Methods(http.MethodPost)
    44. 

  44. 	r.HandleFunc("/api/v1/users/access_token", logic.SecurityCheck(true, http.HandlerFunc(getUserAccessTokens))).Methods(http.MethodGet)
    45. 

  45. 	r.HandleFunc("/api/v1/users/access_token", logic.SecurityCheck(true, http.HandlerFunc(deleteUserAccessTokens))).Methods(http.MethodDelete)
    46. 

  46. }
    47. 

  47. 

  48. // @Summary     Authenticate a user to retrieve an authorization token
    49. 

  49. // @Router      /api/v1/users/{username}/access_token [post]
    50. 

  50. // @Tags        Auth
    51. 

  51. // @Accept      json
    52. 

  52. // @Param       body body models.UserAuthParams true "Authentication parameters"
    53. 

  53. // @Success     200 {object} models.SuccessResponse
    54. 

  54. // @Failure     400 {object} models.ErrorResponse
    55. 

  55. // @Failure     401 {object} models.ErrorResponse
    56. 

  56. // @Failure     500 {object} models.ErrorResponse
    57. 

  57. func createUserAccessToken(w http.ResponseWriter, r *http.Request) {
    58. 

  58. 

  59. 	// Auth request consists of Mac Address and Password (from node that is authorizing
    60. 

  60. 	// in case of Master, auth is ignored and mac is set to "mastermac"
    61. 

  61. 	var req schema.UserAccessToken
    62. 

  62. 

  63. 	err := json.NewDecoder(r.Body).Decode(&req)
    64. 

  64. 	if err != nil {
    65. 

  65. 		logger.Log(0, "error decoding request body: ",
    66. 

  66. 			err.Error())
    67. 

  67. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    68. 

  68. 		return
    69. 

  69. 	}
    70. 

  70. 	if req.Name == "" {
    71. 

  71. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("name is required"), "badrequest"))
    72. 

  72. 		return
    73. 

  73. 	}
    74. 

  74. 	if req.UserName == "" {
    75. 

  75. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("username is required"), "badrequest"))
    76. 

  76. 		return
    77. 

  77. 	}
    78. 

  78. 	caller, err := logic.GetUser(r.Header.Get("user"))
    79. 

  79. 	if err != nil {
    80. 

  80. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "unauthorized"))
    81. 

  81. 		return
    82. 

  82. 	}
    83. 

  83. 	user, err := logic.GetUser(req.UserName)
    84. 

  84. 	if err != nil {
    85. 

  85. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "unauthorized"))
    86. 

  86. 		return
    87. 

  87. 	}
    88. 

  88. 	if caller.UserName != user.UserName && caller.PlatformRoleID != models.SuperAdminRole {
    89. 

  89. 		if caller.PlatformRoleID == models.AdminRole {
    90. 

  90. 			if user.PlatformRoleID == models.SuperAdminRole || user.PlatformRoleID == models.AdminRole {
    91. 

  91. 				logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("not enough permissions to create token for user "+user.UserName), logic.Forbidden_Msg))
    92. 

  92. 				return
    93. 

  93. 			}
    94. 

  94. 		} else {
    95. 

  95. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("not enough permissions to create token for user "+user.UserName), logic.Forbidden_Msg))
    96. 

  96. 			return
    97. 

  97. 		}
    98. 

  98. 	}
    99. 

  99. 

  100. 	req.ID = uuid.New().String()
    101. 

  101. 	req.CreatedBy = r.Header.Get("user")
    102. 

  102. 	req.CreatedAt = time.Now()
    103. 

  103. 	jwt, err := logic.CreateUserAccessJwtToken(user.UserName, user.PlatformRoleID, req.ExpiresAt, req.ID)
    104. 

  104. 	if jwt == "" {
    105. 

  105. 		// very unlikely that err is !nil and no jwt returned, but handle it anyways.
    106. 

  106. 		logic.ReturnErrorResponse(
    107. 

  107. 			w,
    108. 

  108. 			r,
    109. 

  109. 			logic.FormatError(errors.New("error creating access token "+err.Error()), "internal"),
    110. 

  110. 		)
    111. 

  111. 		return
    112. 

  112. 	}
    113. 

  113. 	err = req.Create(r.Context())
    114. 

  114. 	if err != nil {
    115. 

  115. 		logic.ReturnErrorResponse(
    116. 

  116. 			w,
    117. 

  117. 			r,
    118. 

  118. 			logic.FormatError(errors.New("error creating access token "+err.Error()), "internal"),
    119. 

  119. 		)
    120. 

  120. 		return
    121. 

  121. 	}
    122. 

  122. 	logic.ReturnSuccessResponseWithJson(w, r, models.SuccessfulUserLoginResponse{
    123. 

  123. 		AuthToken: jwt,
    124. 

  124. 		UserName:  req.UserName,
    125. 

  125. 	}, "api access token has generated for user "+req.UserName)
    126. 

  126. }
    127. 

  127. 

  128. // @Summary     Authenticate a user to retrieve an authorization token
    129. 

  129. // @Router      /api/v1/users/{username}/access_token [post]
    130. 

  130. // @Tags        Auth
    131. 

  131. // @Accept      json
    132. 

  132. // @Param       body body models.UserAuthParams true "Authentication parameters"
    133. 

  133. // @Success     200 {object} models.SuccessResponse
    134. 

  134. // @Failure     400 {object} models.ErrorResponse
    135. 

  135. // @Failure     401 {object} models.ErrorResponse
    136. 

  136. // @Failure     500 {object} models.ErrorResponse
    137. 

  137. func getUserAccessTokens(w http.ResponseWriter, r *http.Request) {
    138. 

  138. 	username := r.URL.Query().Get("username")
    139. 

  139. 	if username == "" {
    140. 

  140. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("username is required"), "badrequest"))
    141. 

  141. 		return
    142. 

  142. 	}
    143. 

  143. 	logic.ReturnSuccessResponseWithJson(w, r, (&schema.UserAccessToken{UserName: username}).ListByUser(r.Context()), "fetched api access tokens for user "+username)
    144. 

  144. }
    145. 

  145. 

  146. // @Summary     Authenticate a user to retrieve an authorization token
    147. 

  147. // @Router      /api/v1/users/{username}/access_token [post]
    148. 

  148. // @Tags        Auth
    149. 

  149. // @Accept      json
    150. 

  150. // @Param       body body models.UserAuthParams true "Authentication parameters"
    151. 

  151. // @Success     200 {object} models.SuccessResponse
    152. 

  152. // @Failure     400 {object} models.ErrorResponse
    153. 

  153. // @Failure     401 {object} models.ErrorResponse
    154. 

  154. // @Failure     500 {object} models.ErrorResponse
    155. 

  155. func deleteUserAccessTokens(w http.ResponseWriter, r *http.Request) {
    156. 

  156. 	id := r.URL.Query().Get("id")
    157. 

  157. 	if id == "" {
    158. 

  158. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("id is required"), "badrequest"))
    159. 

  159. 		return
    160. 

  160. 	}
    161. 

  161. 	a := schema.UserAccessToken{
    162. 

  162. 		ID: id,
    163. 

  163. 	}
    164. 

  164. 	err := a.Get(r.Context())
    165. 

  165. 	if err != nil {
    166. 

  166. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("id is required"), "badrequest"))
    167. 

  167. 		return
    168. 

  168. 	}
    169. 

  169. 	caller, err := logic.GetUser(r.Header.Get("user"))
    170. 

  170. 	if err != nil {
    171. 

  171. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "unauthorized"))
    172. 

  172. 		return
    173. 

  173. 	}
    174. 

  174. 	user, err := logic.GetUser(a.UserName)
    175. 

  175. 	if err != nil {
    176. 

  176. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "unauthorized"))
    177. 

  177. 		return
    178. 

  178. 	}
    179. 

  179. 	if caller.UserName != user.UserName && caller.PlatformRoleID != models.SuperAdminRole {
    180. 

  180. 		if caller.PlatformRoleID == models.AdminRole {
    181. 

  181. 			if user.PlatformRoleID == models.SuperAdminRole || user.PlatformRoleID == models.AdminRole {
    182. 

  182. 				logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("not enough permissions to delete token of user "+user.UserName), logic.Forbidden_Msg))
    183. 

  183. 				return
    184. 

  184. 			}
    185. 

  185. 		} else {
    186. 

  186. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("not enough permissions to delete token of user "+user.UserName), logic.Forbidden_Msg))
    187. 

  187. 			return
    188. 

  188. 		}
    189. 

  189. 	}
    190. 

  190. 

  191. 	err = (&schema.UserAccessToken{ID: id}).Delete(r.Context())
    192. 

  192. 	if err != nil {
    193. 

  193. 		logic.ReturnErrorResponse(
    194. 

  194. 			w,
    195. 

  195. 			r,
    196. 

  196. 			logic.FormatError(errors.New("error deleting access token "+err.Error()), "internal"),
    197. 

  197. 		)
    198. 

  198. 		return
    199. 

  199. 	}
    200. 

  200. 	logic.ReturnSuccessResponseWithJson(w, r, nil, "revoked access token")
    201. 

  201. }
    202. 

  202. 

  203. // @Summary     Authenticate a user to retrieve an authorization token
    204. 

  204. // @Router      /api/users/adm/authenticate [post]
    205. 

  205. // @Tags        Auth
    206. 

  206. // @Accept      json
    207. 

  207. // @Param       body body models.UserAuthParams true "Authentication parameters"
    208. 

  208. // @Success     200 {object} models.SuccessResponse
    209. 

  209. // @Failure     400 {object} models.ErrorResponse
    210. 

  210. // @Failure     401 {object} models.ErrorResponse
    211. 

  211. // @Failure     500 {object} models.ErrorResponse
    212. 

  212. func authenticateUser(response http.ResponseWriter, request *http.Request) {
    213. 

  213. 

  214. 	// Auth request consists of Mac Address and Password (from node that is authorizing
    215. 

  215. 	// in case of Master, auth is ignored and mac is set to "mastermac"
    216. 

  216. 	var authRequest models.UserAuthParams
    217. 

  217. 	var errorResponse = models.ErrorResponse{
    218. 

  218. 		Code: http.StatusInternalServerError, Message: "W1R3: It's not you it's me.",
    219. 

  219. 	}
    220. 

  220. 	decoder := json.NewDecoder(request.Body)
    221. 

  221. 	decoderErr := decoder.Decode(&authRequest)
    222. 

  222. 	defer request.Body.Close()
    223. 

  223. 	if decoderErr != nil {
    224. 

  224. 		logger.Log(0, "error decoding request body: ",
    225. 

  225. 			decoderErr.Error())
    226. 

  226. 		logic.ReturnErrorResponse(response, request, errorResponse)
    227. 

  227. 		return
    228. 

  228. 	}
    229. 

  229. 	user, err := logic.GetUser(authRequest.UserName)
    230. 

  230. 	if err != nil {
    231. 

  231. 		logger.Log(0, authRequest.UserName, "user validation failed: ",
    232. 

  232. 			err.Error())
    233. 

  233. 		logic.ReturnErrorResponse(response, request, logic.FormatError(err, "unauthorized"))
    234. 

  234. 		return
    235. 

  235. 	}
    236. 

  236. 	if logic.IsOauthUser(user) == nil {
    237. 

  237. 		logic.ReturnErrorResponse(response, request, logic.FormatError(errors.New("user is registered via SSO"), "badrequest"))
    238. 

  238. 		return
    239. 

  239. 	}
    240. 

  240. 	if !user.IsSuperAdmin && !logic.IsBasicAuthEnabled() {
    241. 

  241. 		logic.ReturnErrorResponse(
    242. 

  242. 			response,
    243. 

  243. 			request,
    244. 

  244. 			logic.FormatError(fmt.Errorf("basic auth is disabled"), "badrequest"),
    245. 

  245. 		)
    246. 

  246. 		return
    247. 

  247. 	}
    248. 

  248. 

  249. 	if val := request.Header.Get("From-Ui"); val == "true" {
    250. 

  250. 		// request came from UI, if normal user block Login
    251. 

  251. 

  252. 		role, err := logic.GetRole(user.PlatformRoleID)
    253. 

  253. 		if err != nil {
    254. 

  254. 			logic.ReturnErrorResponse(response, request, logic.FormatError(errors.New("access denied to dashboard"), "unauthorized"))
    255. 

  255. 			return
    256. 

  256. 		}
    257. 

  257. 		if role.DenyDashboardAccess {
    258. 

  258. 			logic.ReturnErrorResponse(response, request, logic.FormatError(errors.New("access denied to dashboard"), "unauthorized"))
    259. 

  259. 			return
    260. 

  260. 		}
    261. 

  261. 	}
    262. 

  262. 

  263. 	username := authRequest.UserName
    264. 

  264. 	jwt, err := logic.VerifyAuthRequest(authRequest)
    265. 

  265. 	if err != nil {
    266. 

  266. 		logger.Log(0, username, "user validation failed: ",
    267. 

  267. 			err.Error())
    268. 

  268. 		logic.ReturnErrorResponse(response, request, logic.FormatError(err, "badrequest"))
    269. 

  269. 		return
    270. 

  270. 	}
    271. 

  271. 

  272. 	if jwt == "" {
    273. 

  273. 		// very unlikely that err is !nil and no jwt returned, but handle it anyways.
    274. 

  274. 		logger.Log(0, username, "jwt token is empty")
    275. 

  275. 		logic.ReturnErrorResponse(
    276. 

  276. 			response,
    277. 

  277. 			request,
    278. 

  278. 			logic.FormatError(errors.New("no token returned"), "internal"),
    279. 

  279. 		)
    280. 

  280. 		return
    281. 

  281. 	}
    282. 

  282. 

  283. 	var successResponse = models.SuccessResponse{
    284. 

  284. 		Code:    http.StatusOK,
    285. 

  285. 		Message: "W1R3: Device " + username + " Authorized",
    286. 

  286. 		Response: models.SuccessfulUserLoginResponse{
    287. 

  287. 			AuthToken: jwt,
    288. 

  288. 			UserName:  username,
    289. 

  289. 		},
    290. 

  290. 	}
    291. 

  291. 	// Send back the JWT
    292. 

  292. 	successJSONResponse, jsonError := json.Marshal(successResponse)
    293. 

  293. 	if jsonError != nil {
    294. 

  294. 		logger.Log(0, username,
    295. 

  295. 			"error marshalling resp: ", jsonError.Error())
    296. 

  296. 		logic.ReturnErrorResponse(response, request, errorResponse)
    297. 

  297. 		return
    298. 

  298. 	}
    299. 

  299. 	logger.Log(2, username, "was authenticated")
    300. 

  300. 	response.Header().Set("Content-Type", "application/json")
    301. 

  301. 	response.Write(successJSONResponse)
    302. 

  302. 

  303. 	go func() {
    304. 

  304. 		if servercfg.IsPro && logic.GetRacAutoDisable() {
    305. 

  305. 			// enable all associeated clients for the user
    306. 

  306. 			clients, err := logic.GetAllExtClients()
    307. 

  307. 			if err != nil {
    308. 

  308. 				slog.Error("error getting clients: ", "error", err)
    309. 

  309. 				return
    310. 

  310. 			}
    311. 

  311. 			for _, client := range clients {
    312. 

  312. 				if client.OwnerID == username && !client.Enabled {
    313. 

  313. 					slog.Info(
    314. 

  314. 						fmt.Sprintf(
    315. 

  315. 							"enabling ext client %s for user %s due to RAC autodisabling feature",
    316. 

  316. 							client.ClientID,
    317. 

  317. 							client.OwnerID,
    318. 

  318. 						),
    319. 

  319. 					)
    320. 

  320. 					if newClient, err := logic.ToggleExtClientConnectivity(&client, true); err != nil {
    321. 

  321. 						slog.Error(
    322. 

  322. 							"error enabling ext client in RAC autodisable hook",
    323. 

  323. 							"error",
    324. 

  324. 							err,
    325. 

  325. 						)
    326. 

  326. 						continue // dont return but try for other clients
    327. 

  327. 					} else {
    328. 

  328. 						// publish peer update to ingress gateway
    329. 

  329. 						if ingressNode, err := logic.GetNodeByID(newClient.IngressGatewayID); err == nil {
    330. 

  330. 							if err = mq.PublishPeerUpdate(false); err != nil {
    331. 

  331. 								slog.Error("error updating ext clients on", "ingress", ingressNode.ID.String(), "err", err.Error())
    332. 

  332. 							}
    333. 

  333. 						}
    334. 

  334. 					}
    335. 

  335. 				}
    336. 

  336. 			}
    337. 

  337. 		}
    338. 

  338. 	}()
    339. 

  339. }
    340. 

  340. 

  341. // @Summary     Check if the server has a super admin
    342. 

  342. // @Router      /api/users/adm/hassuperadmin [get]
    343. 

  343. // @Tags        Users
    344. 

  344. // @Success     200 {object} bool
    345. 

  345. // @Failure     500 {object} models.ErrorResponse
    346. 

  346. func hasSuperAdmin(w http.ResponseWriter, r *http.Request) {
    347. 

  347. 

  348. 	w.Header().Set("Content-Type", "application/json")
    349. 

  349. 

  350. 	hasSuperAdmin, err := logic.HasSuperAdmin()
    351. 

  351. 	if err != nil {
    352. 

  352. 		logger.Log(0, "failed to check for admin: ", err.Error())
    353. 

  353. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    354. 

  354. 		return
    355. 

  355. 	}
    356. 

  356. 

  357. 	json.NewEncoder(w).Encode(hasSuperAdmin)
    358. 

  358. 

  359. }
    360. 

  360. 

  361. // @Summary     Get an individual user
    362. 

  362. // @Router      /api/users/{username} [get]
    363. 

  363. // @Tags        Users
    364. 

  364. // @Param       username path string true "Username of the user to fetch"
    365. 

  365. // @Success     200 {object} models.User
    366. 

  366. // @Failure     500 {object} models.ErrorResponse
    367. 

  367. func getUser(w http.ResponseWriter, r *http.Request) {
    368. 

  368. 	// set header.
    369. 

  369. 	w.Header().Set("Content-Type", "application/json")
    370. 

  370. 

  371. 	var params = mux.Vars(r)
    372. 

  372. 	usernameFetched := params["username"]
    373. 

  373. 	user, err := logic.GetReturnUser(usernameFetched)
    374. 

  374. 

  375. 	if err != nil {
    376. 

  376. 		logger.Log(0, usernameFetched, "failed to fetch user: ", err.Error())
    377. 

  377. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    378. 

  378. 		return
    379. 

  379. 	}
    380. 

  380. 	logger.Log(2, r.Header.Get("user"), "fetched user", usernameFetched)
    381. 

  381. 	json.NewEncoder(w).Encode(user)
    382. 

  382. }
    383. 

  383. 

  384. // swagger:route GET /api/v1/users user getUserV1
    385. 

  385. //
    386. 

  386. // Get an individual user with role info.
    387. 

  387. //
    388. 

  388. //			Schemes: https
    389. 

  389. //
    390. 

  390. //			Security:
    391. 

  391. //	  		oauth
    392. 

  392. //
    393. 

  393. //			Responses:
    394. 

  394. //				200: ReturnUserWithRolesAndGroups
    395. 

  395. func getUserV1(w http.ResponseWriter, r *http.Request) {
    396. 

  396. 	// set header.
    397. 

  397. 	w.Header().Set("Content-Type", "application/json")
    398. 

  398. 	usernameFetched := r.URL.Query().Get("username")
    399. 

  399. 	if usernameFetched == "" {
    400. 

  400. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("username is required"), "badrequest"))
    401. 

  401. 		return
    402. 

  402. 	}
    403. 

  403. 	user, err := logic.GetReturnUser(usernameFetched)
    404. 

  404. 	if err != nil {
    405. 

  405. 		logger.Log(0, usernameFetched, "failed to fetch user: ", err.Error())
    406. 

  406. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    407. 

  407. 		return
    408. 

  408. 	}
    409. 

  409. 	userRoleTemplate, err := logic.GetRole(user.PlatformRoleID)
    410. 

  410. 	if err != nil {
    411. 

  411. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    412. 

  412. 		return
    413. 

  413. 	}
    414. 

  414. 	resp := models.ReturnUserWithRolesAndGroups{
    415. 

  415. 		ReturnUser:   user,
    416. 

  416. 		PlatformRole: userRoleTemplate,
    417. 

  417. 		UserGroups:   map[models.UserGroupID]models.UserGroup{},
    418. 

  418. 	}
    419. 

  419. 	for gId := range user.UserGroups {
    420. 

  420. 		grp, err := logic.GetUserGroup(gId)
    421. 

  421. 		if err != nil {
    422. 

  422. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    423. 

  423. 			return
    424. 

  424. 		}
    425. 

  425. 		resp.UserGroups[gId] = grp
    426. 

  426. 	}
    427. 

  427. 	logger.Log(2, r.Header.Get("user"), "fetched user", usernameFetched)
    428. 

  428. 	logic.ReturnSuccessResponseWithJson(w, r, resp, "fetched user with role info")
    429. 

  429. }
    430. 

  430. 

  431. // swagger:route GET /api/users user getUsers
    432. 

  432. //
    433. 

  433. // Get all users.
    434. 

  434. //
    435. 

  435. //			Schemes: https
    436. 

  436. //
    437. 

  437. //			Security:
    438. 

  438. //	  		oauth
    439. 

  439. //
    440. 

  440. //			Responses:
    441. 

  441. //				200: userBodyResponse
    442. 

  442. func getUsers(w http.ResponseWriter, r *http.Request) {
    443. 

  443. 	// set header.
    444. 

  444. 	w.Header().Set("Content-Type", "application/json")
    445. 

  445. 

  446. 	users, err := logic.GetUsers()
    447. 

  447. 

  448. 	if err != nil {
    449. 

  449. 		logger.Log(0, "failed to fetch users: ", err.Error())
    450. 

  450. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    451. 

  451. 		return
    452. 

  452. 	}
    453. 

  453. 

  454. 	logic.SortUsers(users[:])
    455. 

  455. 	logger.Log(2, r.Header.Get("user"), "fetched users")
    456. 

  456. 	json.NewEncoder(w).Encode(users)
    457. 

  457. }
    458. 

  458. 

  459. // @Summary     Create a super admin
    460. 

  460. // @Router      /api/users/adm/createsuperadmin [post]
    461. 

  461. // @Tags        Users
    462. 

  462. // @Param       body body models.User true "User details"
    463. 

  463. // @Success     200 {object} models.User
    464. 

  464. // @Failure     400 {object} models.ErrorResponse
    465. 

  465. // @Failure     500 {object} models.ErrorResponse
    466. 

  466. func createSuperAdmin(w http.ResponseWriter, r *http.Request) {
    467. 

  467. 	w.Header().Set("Content-Type", "application/json")
    468. 

  468. 

  469. 	var u models.User
    470. 

  470. 

  471. 	err := json.NewDecoder(r.Body).Decode(&u)
    472. 

  472. 	if err != nil {
    473. 

  473. 		slog.Error("error decoding request body", "error", err.Error())
    474. 

  474. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    475. 

  475. 		return
    476. 

  476. 	}
    477. 

  477. 

  478. 	if !logic.IsBasicAuthEnabled() {
    479. 

  479. 		logic.ReturnErrorResponse(
    480. 

  480. 			w,
    481. 

  481. 			r,
    482. 

  482. 			logic.FormatError(fmt.Errorf("basic auth is disabled"), "badrequest"),
    483. 

  483. 		)
    484. 

  484. 		return
    485. 

  485. 	}
    486. 

  486. 

  487. 	err = logic.CreateSuperAdmin(&u)
    488. 

  488. 	if err != nil {
    489. 

  489. 		slog.Error("failed to create admin", "error", err.Error())
    490. 

  490. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    491. 

  491. 		return
    492. 

  492. 	}
    493. 

  493. 	logger.Log(1, u.UserName, "was made a super admin")
    494. 

  494. 	json.NewEncoder(w).Encode(logic.ToReturnUser(u))
    495. 

  495. }
    496. 

  496. 

  497. // @Summary     Transfer super admin role to another admin user
    498. 

  498. // @Router      /api/users/adm/transfersuperadmin/{username} [post]
    499. 

  499. // @Tags        Users
    500. 

  500. // @Param       username path string true "Username of the user to transfer super admin role"
    501. 

  501. // @Success     200 {object} models.User
    502. 

  502. // @Failure     403 {object} models.ErrorResponse
    503. 

  503. // @Failure     500 {object} models.ErrorResponse
    504. 

  504. func transferSuperAdmin(w http.ResponseWriter, r *http.Request) {
    505. 

  505. 	w.Header().Set("Content-Type", "application/json")
    506. 

  506. 	caller, err := logic.GetUser(r.Header.Get("user"))
    507. 

  507. 	if err != nil {
    508. 

  508. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    509. 

  509. 	}
    510. 

  510. 	if caller.PlatformRoleID != models.SuperAdminRole {
    511. 

  511. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("only superadmin can assign the superadmin role to another user"), "forbidden"))
    512. 

  512. 		return
    513. 

  513. 	}
    514. 

  514. 	var params = mux.Vars(r)
    515. 

  515. 	username := params["username"]
    516. 

  516. 	u, err := logic.GetUser(username)
    517. 

  517. 	if err != nil {
    518. 

  518. 		slog.Error("error getting user", "user", u.UserName, "error", err.Error())
    519. 

  519. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    520. 

  520. 		return
    521. 

  521. 	}
    522. 

  522. 	if u.PlatformRoleID != models.AdminRole {
    523. 

  523. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("only admins can be promoted to superadmin role"), "forbidden"))
    524. 

  524. 		return
    525. 

  525. 	}
    526. 

  526. 	if !logic.IsBasicAuthEnabled() {
    527. 

  527. 		logic.ReturnErrorResponse(
    528. 

  528. 			w,
    529. 

  529. 			r,
    530. 

  530. 			logic.FormatError(fmt.Errorf("basic auth is disabled"), "badrequest"),
    531. 

  531. 		)
    532. 

  532. 		return
    533. 

  533. 	}
    534. 

  534. 

  535. 	u.PlatformRoleID = models.SuperAdminRole
    536. 

  536. 	err = logic.UpsertUser(*u)
    537. 

  537. 	if err != nil {
    538. 

  538. 		slog.Error("error updating user to superadmin: ", "user", u.UserName, "error", err.Error())
    539. 

  539. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    540. 

  540. 		return
    541. 

  541. 	}
    542. 

  542. 	caller.PlatformRoleID = models.AdminRole
    543. 

  543. 	err = logic.UpsertUser(*caller)
    544. 

  544. 	if err != nil {
    545. 

  545. 		slog.Error("error demoting user to admin: ", "user", caller.UserName, "error", err.Error())
    546. 

  546. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    547. 

  547. 		return
    548. 

  548. 	}
    549. 

  549. 	slog.Info("user was made a super admin", "user", u.UserName)
    550. 

  550. 	json.NewEncoder(w).Encode(logic.ToReturnUser(*u))
    551. 

  551. }
    552. 

  552. 

  553. // @Summary     Create a user
    554. 

  554. // @Router      /api/users/{username} [post]
    555. 

  555. // @Tags        Users
    556. 

  556. // @Param       username path string true "Username of the user to create"
    557. 

  557. // @Param       body body models.User true "User details"
    558. 

  558. // @Success     200 {object} models.User
    559. 

  559. // @Failure     400 {object} models.ErrorResponse
    560. 

  560. // @Failure     403 {object} models.ErrorResponse
    561. 

  561. // @Failure     500 {object} models.ErrorResponse
    562. 

  562. func createUser(w http.ResponseWriter, r *http.Request) {
    563. 

  563. 	w.Header().Set("Content-Type", "application/json")
    564. 

  564. 	caller, err := logic.GetUser(r.Header.Get("user"))
    565. 

  565. 	if err != nil {
    566. 

  566. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    567. 

  567. 		return
    568. 

  568. 	}
    569. 

  569. 	var user models.User
    570. 

  570. 	err = json.NewDecoder(r.Body).Decode(&user)
    571. 

  571. 	if err != nil {
    572. 

  572. 		logger.Log(0, user.UserName, "error decoding request body: ",
    573. 

  573. 			err.Error())
    574. 

  574. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    575. 

  575. 		return
    576. 

  576. 	}
    577. 

  577. 	if !servercfg.IsPro {
    578. 

  578. 		user.PlatformRoleID = models.AdminRole
    579. 

  579. 	}
    580. 

  580. 

  581. 	if user.PlatformRoleID == "" {
    582. 

  582. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("platform role is missing"), "badrequest"))
    583. 

  583. 		return
    584. 

  584. 	}
    585. 

  585. 	userRole, err := logic.GetRole(user.PlatformRoleID)
    586. 

  586. 	if err != nil {
    587. 

  587. 		err = errors.New("error fetching role " + user.PlatformRoleID.String() + " " + err.Error())
    588. 

  588. 		slog.Error("error creating new user: ", "user", user.UserName, "error", err)
    589. 

  589. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    590. 

  590. 		return
    591. 

  591. 	}
    592. 

  592. 	if userRole.ID == models.SuperAdminRole {
    593. 

  593. 		err = errors.New("additional superadmins cannot be created")
    594. 

  594. 		slog.Error("error creating new user: ", "user", user.UserName, "error", err)
    595. 

  595. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    596. 

  596. 		return
    597. 

  597. 	}
    598. 

  598. 

  599. 	if caller.PlatformRoleID != models.SuperAdminRole && user.PlatformRoleID == models.AdminRole {
    600. 

  600. 		err = errors.New("only superadmin can create admin users")
    601. 

  601. 		slog.Error("error creating new user: ", "user", user.UserName, "error", err)
    602. 

  602. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    603. 

  603. 		return
    604. 

  604. 	}
    605. 

  605. 

  606. 	if !servercfg.IsPro && user.PlatformRoleID != models.AdminRole {
    607. 

  607. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("non-admins users can only be created on Pro version"), "forbidden"))
    608. 

  608. 		return
    609. 

  609. 	}
    610. 

  610. 

  611. 	err = logic.CreateUser(&user)
    612. 

  612. 	if err != nil {
    613. 

  613. 		slog.Error("error creating new user: ", "user", user.UserName, "error", err.Error())
    614. 

  614. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    615. 

  615. 		return
    616. 

  616. 	}
    617. 

  617. 	logic.DeleteUserInvite(user.UserName)
    618. 

  618. 	logic.DeletePendingUser(user.UserName)
    619. 

  619. 	go mq.PublishPeerUpdate(false)
    620. 

  620. 	slog.Info("user was created", "username", user.UserName)
    621. 

  621. 	json.NewEncoder(w).Encode(logic.ToReturnUser(user))
    622. 

  622. }
    623. 

  623. 

  624. // @Summary     Update a user
    625. 

  625. // @Router      /api/users/{username} [put]
    626. 

  626. // @Tags        Users
    627. 

  627. // @Param       username path string true "Username of the user to update"
    628. 

  628. // @Param       body body models.User true "User details"
    629. 

  629. // @Success     200 {object} models.User
    630. 

  630. // @Failure     400 {object} models.ErrorResponse
    631. 

  631. // @Failure     403 {object} models.ErrorResponse
    632. 

  632. // @Failure     500 {object} models.ErrorResponse
    633. 

  633. func updateUser(w http.ResponseWriter, r *http.Request) {
    634. 

  634. 	w.Header().Set("Content-Type", "application/json")
    635. 

  635. 	var params = mux.Vars(r)
    636. 

  636. 	// start here
    637. 

  637. 	var caller *models.User
    638. 

  638. 	var err error
    639. 

  639. 	var ismaster bool
    640. 

  640. 	if r.Header.Get("user") == logic.MasterUser {
    641. 

  641. 		ismaster = true
    642. 

  642. 	} else {
    643. 

  643. 		caller, err = logic.GetUser(r.Header.Get("user"))
    644. 

  644. 		if err != nil {
    645. 

  645. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    646. 

  646. 		}
    647. 

  647. 	}
    648. 

  648. 

  649. 	username := params["username"]
    650. 

  650. 	user, err := logic.GetUser(username)
    651. 

  651. 	if err != nil {
    652. 

  652. 		logger.Log(0, username,
    653. 

  653. 			"failed to update user info: ", err.Error())
    654. 

  654. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    655. 

  655. 		return
    656. 

  656. 	}
    657. 

  657. 	var userchange models.User
    658. 

  658. 	// we decode our body request params
    659. 

  659. 	err = json.NewDecoder(r.Body).Decode(&userchange)
    660. 

  660. 	if err != nil {
    661. 

  661. 		slog.Error("failed to decode body", "error ", err.Error())
    662. 

  662. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    663. 

  663. 		return
    664. 

  664. 	}
    665. 

  665. 	if user.UserName != userchange.UserName {
    666. 

  666. 		logic.ReturnErrorResponse(
    667. 

  667. 			w,
    668. 

  668. 			r,
    669. 

  669. 			logic.FormatError(
    670. 

  670. 				errors.New("user in param and request body not matching"),
    671. 

  671. 				"badrequest",
    672. 

  672. 			),
    673. 

  673. 		)
    674. 

  674. 		return
    675. 

  675. 	}
    676. 

  676. 	selfUpdate := false
    677. 

  677. 	if !ismaster && caller.UserName == user.UserName {
    678. 

  678. 		selfUpdate = true
    679. 

  679. 	}
    680. 

  680. 

  681. 	if !ismaster && !selfUpdate {
    682. 

  682. 		if caller.PlatformRoleID == models.AdminRole && user.PlatformRoleID == models.SuperAdminRole {
    683. 

  683. 			slog.Error("non-superadmin user", "caller", caller.UserName, "attempted to update superadmin user", username)
    684. 

  684. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot update superadmin user"), "forbidden"))
    685. 

  685. 			return
    686. 

  686. 		}
    687. 

  687. 		if caller.PlatformRoleID != models.AdminRole && caller.PlatformRoleID != models.SuperAdminRole {
    688. 

  688. 			slog.Error("operation not allowed", "caller", caller.UserName, "attempted to update user", username)
    689. 

  689. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot update superadmin user"), "forbidden"))
    690. 

  690. 			return
    691. 

  691. 		}
    692. 

  692. 		if caller.PlatformRoleID == models.AdminRole && user.PlatformRoleID == models.AdminRole {
    693. 

  693. 			slog.Error("an admin user does not have permissions to update another admin user", "caller", caller.UserName, "attempted to update admin user", username)
    694. 

  694. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("an admin user does not have permissions to update another admin user"), "forbidden"))
    695. 

  695. 			return
    696. 

  696. 		}
    697. 

  697. 		if caller.PlatformRoleID == models.AdminRole && userchange.PlatformRoleID == models.AdminRole {
    698. 

  698. 			err = errors.New("an admin user does not have permissions to assign the admin role to another user")
    699. 

  699. 			slog.Error(
    700. 

  700. 				"failed to update user",
    701. 

  701. 				"caller",
    702. 

  702. 				caller.UserName,
    703. 

  703. 				"attempted to update user",
    704. 

  704. 				username,
    705. 

  705. 				"error",
    706. 

  706. 				err,
    707. 

  707. 			)
    708. 

  708. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    709. 

  709. 			return
    710. 

  710. 		}
    711. 

  711. 

  712. 	}
    713. 

  713. 	if !ismaster && selfUpdate {
    714. 

  714. 		if user.PlatformRoleID != userchange.PlatformRoleID {
    715. 

  715. 			slog.Error("user cannot change his own role", "caller", caller.UserName, "attempted to update user role", username)
    716. 

  716. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("user not allowed to self assign role"), "forbidden"))
    717. 

  717. 			return
    718. 

  718. 

  719. 		}
    720. 

  720. 		if servercfg.IsPro {
    721. 

  721. 			// user cannot update his own roles and groups
    722. 

  722. 			if len(user.NetworkRoles) != len(userchange.NetworkRoles) || !reflect.DeepEqual(user.NetworkRoles, userchange.NetworkRoles) {
    723. 

  723. 				err = errors.New("user cannot update self update their network roles")
    724. 

  724. 				slog.Error("failed to update user", "caller", caller.UserName, "attempted to update user", username, "error", err)
    725. 

  725. 				logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    726. 

  726. 				return
    727. 

  727. 			}
    728. 

  728. 			// user cannot update his own roles and groups
    729. 

  729. 			if len(user.UserGroups) != len(userchange.UserGroups) || !reflect.DeepEqual(user.UserGroups, userchange.UserGroups) {
    730. 

  730. 				err = errors.New("user cannot update self update their groups")
    731. 

  731. 				slog.Error("failed to update user", "caller", caller.UserName, "attempted to update user", username, "error", err)
    732. 

  732. 				logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    733. 

  733. 				return
    734. 

  734. 			}
    735. 

  735. 		}
    736. 

  736. 

  737. 	}
    738. 

  738. 	if ismaster {
    739. 

  739. 		if user.PlatformRoleID != models.SuperAdminRole && userchange.PlatformRoleID == models.SuperAdminRole {
    740. 

  740. 			slog.Error("operation not allowed", "caller", logic.MasterUser, "attempted to update user role to superadmin", username)
    741. 

  741. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("attempted to update user role to superadmin"), "forbidden"))
    742. 

  742. 			return
    743. 

  743. 		}
    744. 

  744. 	}
    745. 

  745. 

  746. 	if logic.IsOauthUser(user) == nil && userchange.Password != "" {
    747. 

  747. 		err := fmt.Errorf("cannot update user's password for an oauth user %s", username)
    748. 

  748. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    749. 

  749. 		return
    750. 

  750. 	}
    751. 

  751. 	logic.AddGlobalNetRolesToAdmins(&userchange)
    752. 

  752. 	if userchange.PlatformRoleID != user.PlatformRoleID || !logic.CompareMaps(user.UserGroups, userchange.UserGroups) {
    753. 

  753. 		(&schema.UserAccessToken{UserName: user.UserName}).DeleteAllUserTokens(r.Context())
    754. 

  754. 	}
    755. 

  755. 	user, err = logic.UpdateUser(&userchange, user)
    756. 

  756. 	if err != nil {
    757. 

  757. 		logger.Log(0, username,
    758. 

  758. 			"failed to update user info: ", err.Error())
    759. 

  759. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    760. 

  760. 		return
    761. 

  761. 	}
    762. 

  762. 	go mq.PublishPeerUpdate(false)
    763. 

  763. 	logger.Log(1, username, "was updated")
    764. 

  764. 	json.NewEncoder(w).Encode(logic.ToReturnUser(*user))
    765. 

  765. }
    766. 

  766. 

  767. // @Summary     Delete a user
    768. 

  768. // @Router      /api/users/{username} [delete]
    769. 

  769. // @Tags        Users
    770. 

  770. // @Param       username path string true "Username of the user to delete"
    771. 

  771. // @Success     200 {string} string
    772. 

  772. // @Failure     500 {object} models.ErrorResponse
    773. 

  773. func deleteUser(w http.ResponseWriter, r *http.Request) {
    774. 

  774. 	// Set header
    775. 

  775. 	w.Header().Set("Content-Type", "application/json")
    776. 

  776. 

  777. 	// get params
    778. 

  778. 	var params = mux.Vars(r)
    779. 

  779. 	caller, err := logic.GetUser(r.Header.Get("user"))
    780. 

  780. 	if err != nil {
    781. 

  781. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    782. 

  782. 	}
    783. 

  783. 	callerUserRole, err := logic.GetRole(caller.PlatformRoleID)
    784. 

  784. 	if err != nil {
    785. 

  785. 		slog.Error("failed to get role ", "role", callerUserRole.ID, "error", err)
    786. 

  786. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    787. 

  787. 		return
    788. 

  788. 	}
    789. 

  789. 	username := params["username"]
    790. 

  790. 	user, err := logic.GetUser(username)
    791. 

  791. 	if err != nil {
    792. 

  792. 		logger.Log(0, username,
    793. 

  793. 			"failed to update user info: ", err.Error())
    794. 

  794. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    795. 

  795. 		return
    796. 

  796. 	}
    797. 

  797. 	userRole, err := logic.GetRole(user.PlatformRoleID)
    798. 

  798. 	if err != nil {
    799. 

  799. 		slog.Error("failed to get role ", "role", userRole.ID, "error", err)
    800. 

  800. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    801. 

  801. 		return
    802. 

  802. 	}
    803. 

  803. 	if userRole.ID == models.SuperAdminRole {
    804. 

  804. 		slog.Error(
    805. 

  805. 			"failed to delete user: ", "user", username, "error", "superadmin cannot be deleted")
    806. 

  806. 		logic.ReturnErrorResponse(
    807. 

  807. 			w,
    808. 

  808. 			r,
    809. 

  809. 			logic.FormatError(fmt.Errorf("superadmin cannot be deleted"), "internal"),
    810. 

  810. 		)
    811. 

  811. 		return
    812. 

  812. 	}
    813. 

  813. 	if callerUserRole.ID != models.SuperAdminRole {
    814. 

  814. 		if callerUserRole.ID == models.AdminRole && userRole.ID == models.AdminRole {
    815. 

  815. 			slog.Error(
    816. 

  816. 				"failed to delete user: ",
    817. 

  817. 				"user",
    818. 

  818. 				username,
    819. 

  819. 				"error",
    820. 

  820. 				"admin cannot delete another admin user, including oneself",
    821. 

  821. 			)
    822. 

  822. 			logic.ReturnErrorResponse(
    823. 

  823. 				w,
    824. 

  824. 				r,
    825. 

  825. 				logic.FormatError(
    826. 

  826. 					fmt.Errorf("admin cannot delete another admin user, including oneself"),
    827. 

  827. 					"internal",
    828. 

  828. 				),
    829. 

  829. 			)
    830. 

  830. 			return
    831. 

  831. 		}
    832. 

  832. 	}
    833. 

  833. 	err = logic.DeleteUser(username)
    834. 

  834. 	if err != nil {
    835. 

  835. 		logger.Log(0, username,
    836. 

  836. 			"failed to delete user: ", err.Error())
    837. 

  837. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    838. 

  838. 		return
    839. 

  839. 	}
    840. 

  840. 	// check and delete extclient with this ownerID
    841. 

  841. 	go func() {
    842. 

  842. 		extclients, err := logic.GetAllExtClients()
    843. 

  843. 		if err != nil {
    844. 

  844. 			slog.Error("failed to get extclients", "error", err)
    845. 

  845. 			return
    846. 

  846. 		}
    847. 

  847. 		for _, extclient := range extclients {
    848. 

  848. 			if extclient.OwnerID == user.UserName {
    849. 

  849. 				err = logic.DeleteExtClientAndCleanup(extclient)
    850. 

  850. 				if err != nil {
    851. 

  851. 					slog.Error("failed to delete extclient",
    852. 

  852. 						"id", extclient.ClientID, "owner", username, "error", err)
    853. 

  853. 				} else {
    854. 

  854. 					if err := mq.PublishDeletedClientPeerUpdate(&extclient); err != nil {
    855. 

  855. 						slog.Error("error setting ext peers: " + err.Error())
    856. 

  856. 					}
    857. 

  857. 				}
    858. 

  858. 			}
    859. 

  859. 		}
    860. 

  860. 		mq.PublishPeerUpdate(false)
    861. 

  861. 		if servercfg.IsDNSMode() {
    862. 

  862. 			logic.SetDNS()
    863. 

  863. 		}
    864. 

  864. 	}()
    865. 

  865. 	logger.Log(1, username, "was deleted")
    866. 

  866. 	json.NewEncoder(w).Encode(params["username"] + " deleted.")
    867. 

  867. }
    868. 

  868. 

  869. // Called when vpn client dials in to start the auth flow and first stage is to get register URL itself
    870. 

  870. func socketHandler(w http.ResponseWriter, r *http.Request) {
    871. 

  871. 	// Upgrade our raw HTTP connection to a websocket based one
    872. 

  872. 	conn, err := upgrader.Upgrade(w, r, nil)
    873. 

  873. 	if err != nil {
    874. 

  874. 		logger.Log(0, "error during connection upgrade for node sign-in:", err.Error())
    875. 

  875. 		return
    876. 

  876. 	}
    877. 

  877. 	if conn == nil {
    878. 

  878. 		logger.Log(0, "failed to establish web-socket connection during node sign-in")
    879. 

  879. 		return
    880. 

  880. 	}
    881. 

  881. 	// Start handling the session
    882. 

  882. 	go auth.SessionHandler(conn)
    883. 

  883. }
    884. 

  884. 

  885. // @Summary     lists all user roles.
    886. 

  886. // @Router      /api/v1/user/roles [get]
    887. 

  887. // @Tags        Users
    888. 

  888. // @Param       role_id query string true "roleid required to get the role details"
    889. 

  889. // @Success     200 {object}  []models.UserRolePermissionTemplate
    890. 

  890. // @Failure     500 {object} models.ErrorResponse
    891. 

  891. func listRoles(w http.ResponseWriter, r *http.Request) {
    892. 

  892. 	var roles []models.UserRolePermissionTemplate
    893. 

  893. 	var err error
    894. 

  894. 	roles, err = logic.ListPlatformRoles()
    895. 

  895. 	if err != nil {
    896. 

  896. 		logic.ReturnErrorResponse(w, r, models.ErrorResponse{
    897. 

  897. 			Code:    http.StatusInternalServerError,
    898. 

  898. 			Message: err.Error(),
    899. 

  899. 		})
    900. 

  900. 		return
    901. 

  901. 	}
    902. 

  902. 

  903. 	logic.ReturnSuccessResponseWithJson(w, r, roles, "successfully fetched user roles permission templates")
    904. 

  904. }
    905.