Эхлэл Бүгдийг харах Тусламж
Нэвтрэх
golang
/
netmaker
-ын хуулбар https://github.com/gravitl/netmaker
2
0
Салаа 0
Файлууд Асуудлууд 0 Мэдлэгийн сан
Салаа: NET-1932-v1
Салаанууд Тагууд
netmaker
/
controllers
/
user.go

user.go 31 KB
Байнгын холболт Түүх Анхны өгөгдөл

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908 
  1. package controller
    2. 

  2. 

  3. import (
    4. 

  4. 	"encoding/json"
    5. 

  5. 	"errors"
    6. 

  6. 	"fmt"
    7. 

  7. 	"net/http"
    8. 

  8. 	"reflect"
    9. 

  9. 	"time"
    10. 

  10. 

  11. 	"github.com/google/uuid"
    12. 

  12. 	"github.com/gorilla/mux"
    13. 

  13. 	"github.com/gorilla/websocket"
    14. 

  14. 	"github.com/gravitl/netmaker/auth"
    15. 

  15. 	"github.com/gravitl/netmaker/logger"
    16. 

  16. 	"github.com/gravitl/netmaker/logic"
    17. 

  17. 	"github.com/gravitl/netmaker/models"
    18. 

  18. 	"github.com/gravitl/netmaker/mq"
    19. 

  19. 	"github.com/gravitl/netmaker/schema"
    20. 

  20. 	"github.com/gravitl/netmaker/servercfg"
    21. 

  21. 	"golang.org/x/exp/slog"
    22. 

  22. )
    23. 

  23. 

  24. var (
    25. 

  25. 	upgrader = websocket.Upgrader{}
    26. 

  26. )
    27. 

  27. 

  28. var ListRoles = listRoles
    29. 

  29. 

  30. func userHandlers(r *mux.Router) {
    31. 

  31. 	r.HandleFunc("/api/users/adm/hassuperadmin", hasSuperAdmin).Methods(http.MethodGet)
    32. 

  32. 	r.HandleFunc("/api/users/adm/createsuperadmin", createSuperAdmin).Methods(http.MethodPost)
    33. 

  33. 	r.HandleFunc("/api/users/adm/transfersuperadmin/{username}", logic.SecurityCheck(true, http.HandlerFunc(transferSuperAdmin))).
    34. 

  34. 		Methods(http.MethodPost)
    35. 

  35. 	r.HandleFunc("/api/users/adm/authenticate", authenticateUser).Methods(http.MethodPost)
    36. 

  36. 	r.HandleFunc("/api/users/{username}", logic.SecurityCheck(true, http.HandlerFunc(updateUser))).Methods(http.MethodPut)
    37. 

  37. 	r.HandleFunc("/api/users/{username}", logic.SecurityCheck(true, checkFreeTierLimits(limitChoiceUsers, http.HandlerFunc(createUser)))).Methods(http.MethodPost)
    38. 

  38. 	r.HandleFunc("/api/users/{username}", logic.SecurityCheck(true, http.HandlerFunc(deleteUser))).Methods(http.MethodDelete)
    39. 

  39. 	r.HandleFunc("/api/users/{username}", logic.SecurityCheck(false, logic.ContinueIfUserMatch(http.HandlerFunc(getUser)))).Methods(http.MethodGet)
    40. 

  40. 	r.HandleFunc("/api/v1/users", logic.SecurityCheck(false, logic.ContinueIfUserMatch(http.HandlerFunc(getUserV1)))).Methods(http.MethodGet)
    41. 

  41. 	r.HandleFunc("/api/users", logic.SecurityCheck(true, http.HandlerFunc(getUsers))).Methods(http.MethodGet)
    42. 

  42. 	r.HandleFunc("/api/v1/users/roles", logic.SecurityCheck(true, http.HandlerFunc(ListRoles))).Methods(http.MethodGet)
    43. 

  43. 	r.HandleFunc("/api/v1/users/access_token", logic.SecurityCheck(true, http.HandlerFunc(createUserAccessToken))).Methods(http.MethodPost)
    44. 

  44. 	r.HandleFunc("/api/v1/users/access_token", logic.SecurityCheck(true, http.HandlerFunc(getUserAccessTokens))).Methods(http.MethodGet)
    45. 

  45. 	r.HandleFunc("/api/v1/users/access_token", logic.SecurityCheck(true, http.HandlerFunc(deleteUserAccessTokens))).Methods(http.MethodDelete)
    46. 

  46. }
    47. 

  47. 

  48. // @Summary     Authenticate a user to retrieve an authorization token
    49. 

  49. // @Router      /api/v1/users/{username}/access_token [post]
    50. 

  50. // @Tags        Auth
    51. 

  51. // @Accept      json
    52. 

  52. // @Param       body body models.UserAuthParams true "Authentication parameters"
    53. 

  53. // @Success     200 {object} models.SuccessResponse
    54. 

  54. // @Failure     400 {object} models.ErrorResponse
    55. 

  55. // @Failure     401 {object} models.ErrorResponse
    56. 

  56. // @Failure     500 {object} models.ErrorResponse
    57. 

  57. func createUserAccessToken(w http.ResponseWriter, r *http.Request) {
    58. 

  58. 

  59. 	// Auth request consists of Mac Address and Password (from node that is authorizing
    60. 

  60. 	// in case of Master, auth is ignored and mac is set to "mastermac"
    61. 

  61. 	var req schema.UserAccessToken
    62. 

  62. 

  63. 	err := json.NewDecoder(r.Body).Decode(&req)
    64. 

  64. 	if err != nil {
    65. 

  65. 		logger.Log(0, "error decoding request body: ",
    66. 

  66. 			err.Error())
    67. 

  67. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    68. 

  68. 		return
    69. 

  69. 	}
    70. 

  70. 	if req.Name == "" {
    71. 

  71. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("name is required"), "badrequest"))
    72. 

  72. 		return
    73. 

  73. 	}
    74. 

  74. 	if req.UserName == "" {
    75. 

  75. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("username is required"), "badrequest"))
    76. 

  76. 		return
    77. 

  77. 	}
    78. 

  78. 	caller, err := logic.GetUser(r.Header.Get("user"))
    79. 

  79. 	if err != nil {
    80. 

  80. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "unauthorized"))
    81. 

  81. 		return
    82. 

  82. 	}
    83. 

  83. 	user, err := logic.GetUser(req.UserName)
    84. 

  84. 	if err != nil {
    85. 

  85. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "unauthorized"))
    86. 

  86. 		return
    87. 

  87. 	}
    88. 

  88. 	if caller.UserName != user.UserName && caller.PlatformRoleID != models.SuperAdminRole {
    89. 

  89. 		if caller.PlatformRoleID == models.AdminRole {
    90. 

  90. 			if user.PlatformRoleID == models.SuperAdminRole || user.PlatformRoleID == models.AdminRole {
    91. 

  91. 				logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("not enough permissions to create token for user "+user.UserName), logic.Forbidden_Msg))
    92. 

  92. 				return
    93. 

  93. 			}
    94. 

  94. 		} else {
    95. 

  95. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("not enough permissions to create token for user "+user.UserName), logic.Forbidden_Msg))
    96. 

  96. 			return
    97. 

  97. 		}
    98. 

  98. 	}
    99. 

  99. 

  100. 	req.ID = uuid.New().String()
    101. 

  101. 	req.CreatedBy = r.Header.Get("user")
    102. 

  102. 	req.CreatedAt = time.Now()
    103. 

  103. 	jwt, err := logic.CreateUserAccessJwtToken(user.UserName, user.PlatformRoleID, req.ExpiresAt, req.ID)
    104. 

  104. 	if jwt == "" {
    105. 

  105. 		// very unlikely that err is !nil and no jwt returned, but handle it anyways.
    106. 

  106. 		logic.ReturnErrorResponse(
    107. 

  107. 			w,
    108. 

  108. 			r,
    109. 

  109. 			logic.FormatError(errors.New("error creating access token "+err.Error()), "internal"),
    110. 

  110. 		)
    111. 

  111. 		return
    112. 

  112. 	}
    113. 

  113. 	err = req.Create()
    114. 

  114. 	if err != nil {
    115. 

  115. 		logic.ReturnErrorResponse(
    116. 

  116. 			w,
    117. 

  117. 			r,
    118. 

  118. 			logic.FormatError(errors.New("error creating access token "+err.Error()), "internal"),
    119. 

  119. 		)
    120. 

  120. 		return
    121. 

  121. 	}
    122. 

  122. 	logic.ReturnSuccessResponseWithJson(w, r, models.SuccessfulUserLoginResponse{
    123. 

  123. 		AuthToken: jwt,
    124. 

  124. 		UserName:  req.UserName,
    125. 

  125. 	}, "api access token has generated for user "+req.UserName)
    126. 

  126. }
    127. 

  127. 

  128. // @Summary     Authenticate a user to retrieve an authorization token
    129. 

  129. // @Router      /api/v1/users/{username}/access_token [post]
    130. 

  130. // @Tags        Auth
    131. 

  131. // @Accept      json
    132. 

  132. // @Param       body body models.UserAuthParams true "Authentication parameters"
    133. 

  133. // @Success     200 {object} models.SuccessResponse
    134. 

  134. // @Failure     400 {object} models.ErrorResponse
    135. 

  135. // @Failure     401 {object} models.ErrorResponse
    136. 

  136. // @Failure     500 {object} models.ErrorResponse
    137. 

  137. func getUserAccessTokens(w http.ResponseWriter, r *http.Request) {
    138. 

  138. 	username := r.URL.Query().Get("username")
    139. 

  139. 	if username == "" {
    140. 

  140. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("username is required"), "badrequest"))
    141. 

  141. 		return
    142. 

  142. 	}
    143. 

  143. 	logic.ReturnSuccessResponseWithJson(w, r, (&schema.UserAccessToken{UserName: username}).ListByUser(), "fetched api access tokens for user "+username)
    144. 

  144. }
    145. 

  145. 

  146. // @Summary     Authenticate a user to retrieve an authorization token
    147. 

  147. // @Router      /api/v1/users/{username}/access_token [post]
    148. 

  148. // @Tags        Auth
    149. 

  149. // @Accept      json
    150. 

  150. // @Param       body body models.UserAuthParams true "Authentication parameters"
    151. 

  151. // @Success     200 {object} models.SuccessResponse
    152. 

  152. // @Failure     400 {object} models.ErrorResponse
    153. 

  153. // @Failure     401 {object} models.ErrorResponse
    154. 

  154. // @Failure     500 {object} models.ErrorResponse
    155. 

  155. func deleteUserAccessTokens(w http.ResponseWriter, r *http.Request) {
    156. 

  156. 	id := r.URL.Query().Get("id")
    157. 

  157. 	if id == "" {
    158. 

  158. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("id is required"), "badrequest"))
    159. 

  159. 		return
    160. 

  160. 	}
    161. 

  161. 	a := schema.UserAccessToken{
    162. 

  162. 		ID: id,
    163. 

  163. 	}
    164. 

  164. 	err := a.Get()
    165. 

  165. 	if err != nil {
    166. 

  166. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("id is required"), "badrequest"))
    167. 

  167. 		return
    168. 

  168. 	}
    169. 

  169. 	caller, err := logic.GetUser(r.Header.Get("user"))
    170. 

  170. 	if err != nil {
    171. 

  171. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "unauthorized"))
    172. 

  172. 		return
    173. 

  173. 	}
    174. 

  174. 	user, err := logic.GetUser(a.UserName)
    175. 

  175. 	if err != nil {
    176. 

  176. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "unauthorized"))
    177. 

  177. 		return
    178. 

  178. 	}
    179. 

  179. 	if caller.UserName != user.UserName && caller.PlatformRoleID != models.SuperAdminRole {
    180. 

  180. 		if caller.PlatformRoleID == models.AdminRole {
    181. 

  181. 			if user.PlatformRoleID == models.SuperAdminRole || user.PlatformRoleID == models.AdminRole {
    182. 

  182. 				logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("not enough permissions to delete token of user "+user.UserName), logic.Forbidden_Msg))
    183. 

  183. 				return
    184. 

  184. 			}
    185. 

  185. 		} else {
    186. 

  186. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("not enough permissions to delete token of user "+user.UserName), logic.Forbidden_Msg))
    187. 

  187. 			return
    188. 

  188. 		}
    189. 

  189. 	}
    190. 

  190. 

  191. 	err = (&schema.UserAccessToken{ID: id}).Delete()
    192. 

  192. 	if err != nil {
    193. 

  193. 		logic.ReturnErrorResponse(
    194. 

  194. 			w,
    195. 

  195. 			r,
    196. 

  196. 			logic.FormatError(errors.New("error deleting access token "+err.Error()), "internal"),
    197. 

  197. 		)
    198. 

  198. 		return
    199. 

  199. 	}
    200. 

  200. 	logic.ReturnSuccessResponseWithJson(w, r, nil, "revoked access token")
    201. 

  201. }
    202. 

  202. 

  203. // @Summary     Authenticate a user to retrieve an authorization token
    204. 

  204. // @Router      /api/users/adm/authenticate [post]
    205. 

  205. // @Tags        Auth
    206. 

  206. // @Accept      json
    207. 

  207. // @Param       body body models.UserAuthParams true "Authentication parameters"
    208. 

  208. // @Success     200 {object} models.SuccessResponse
    209. 

  209. // @Failure     400 {object} models.ErrorResponse
    210. 

  210. // @Failure     401 {object} models.ErrorResponse
    211. 

  211. // @Failure     500 {object} models.ErrorResponse
    212. 

  212. func authenticateUser(response http.ResponseWriter, request *http.Request) {
    213. 

  213. 

  214. 	// Auth request consists of Mac Address and Password (from node that is authorizing
    215. 

  215. 	// in case of Master, auth is ignored and mac is set to "mastermac"
    216. 

  216. 	var authRequest models.UserAuthParams
    217. 

  217. 	var errorResponse = models.ErrorResponse{
    218. 

  218. 		Code: http.StatusInternalServerError, Message: "W1R3: It's not you it's me.",
    219. 

  219. 	}
    220. 

  220. 

  221. 	if !servercfg.IsBasicAuthEnabled() {
    222. 

  222. 		logic.ReturnErrorResponse(
    223. 

  223. 			response,
    224. 

  224. 			request,
    225. 

  225. 			logic.FormatError(fmt.Errorf("basic auth is disabled"), "badrequest"),
    226. 

  226. 		)
    227. 

  227. 		return
    228. 

  228. 	}
    229. 

  229. 

  230. 	decoder := json.NewDecoder(request.Body)
    231. 

  231. 	decoderErr := decoder.Decode(&authRequest)
    232. 

  232. 	defer request.Body.Close()
    233. 

  233. 	if decoderErr != nil {
    234. 

  234. 		logger.Log(0, "error decoding request body: ",
    235. 

  235. 			decoderErr.Error())
    236. 

  236. 		logic.ReturnErrorResponse(response, request, errorResponse)
    237. 

  237. 		return
    238. 

  238. 	}
    239. 

  239. 	if val := request.Header.Get("From-Ui"); val == "true" {
    240. 

  240. 		// request came from UI, if normal user block Login
    241. 

  241. 		user, err := logic.GetUser(authRequest.UserName)
    242. 

  242. 		if err != nil {
    243. 

  243. 			logger.Log(0, authRequest.UserName, "user validation failed: ",
    244. 

  244. 				err.Error())
    245. 

  245. 			logic.ReturnErrorResponse(response, request, logic.FormatError(err, "unauthorized"))
    246. 

  246. 			return
    247. 

  247. 		}
    248. 

  248. 		role, err := logic.GetRole(user.PlatformRoleID)
    249. 

  249. 		if err != nil {
    250. 

  250. 			logic.ReturnErrorResponse(response, request, logic.FormatError(errors.New("access denied to dashboard"), "unauthorized"))
    251. 

  251. 			return
    252. 

  252. 		}
    253. 

  253. 		if role.DenyDashboardAccess {
    254. 

  254. 			logic.ReturnErrorResponse(response, request, logic.FormatError(errors.New("access denied to dashboard"), "unauthorized"))
    255. 

  255. 			return
    256. 

  256. 		}
    257. 

  257. 	}
    258. 

  258. 	user, err := logic.GetUser(authRequest.UserName)
    259. 

  259. 	if err != nil {
    260. 

  260. 		logic.ReturnErrorResponse(response, request, logic.FormatError(err, "unauthorized"))
    261. 

  261. 		return
    262. 

  262. 	}
    263. 

  263. 	if logic.IsOauthUser(user) == nil {
    264. 

  264. 		logic.ReturnErrorResponse(response, request, logic.FormatError(errors.New("user is registered via SSO"), "badrequest"))
    265. 

  265. 		return
    266. 

  266. 	}
    267. 

  267. 	username := authRequest.UserName
    268. 

  268. 	jwt, err := logic.VerifyAuthRequest(authRequest)
    269. 

  269. 	if err != nil {
    270. 

  270. 		logger.Log(0, username, "user validation failed: ",
    271. 

  271. 			err.Error())
    272. 

  272. 		logic.ReturnErrorResponse(response, request, logic.FormatError(err, "badrequest"))
    273. 

  273. 		return
    274. 

  274. 	}
    275. 

  275. 

  276. 	if jwt == "" {
    277. 

  277. 		// very unlikely that err is !nil and no jwt returned, but handle it anyways.
    278. 

  278. 		logger.Log(0, username, "jwt token is empty")
    279. 

  279. 		logic.ReturnErrorResponse(
    280. 

  280. 			response,
    281. 

  281. 			request,
    282. 

  282. 			logic.FormatError(errors.New("no token returned"), "internal"),
    283. 

  283. 		)
    284. 

  284. 		return
    285. 

  285. 	}
    286. 

  286. 

  287. 	var successResponse = models.SuccessResponse{
    288. 

  288. 		Code:    http.StatusOK,
    289. 

  289. 		Message: "W1R3: Device " + username + " Authorized",
    290. 

  290. 		Response: models.SuccessfulUserLoginResponse{
    291. 

  291. 			AuthToken: jwt,
    292. 

  292. 			UserName:  username,
    293. 

  293. 		},
    294. 

  294. 	}
    295. 

  295. 	// Send back the JWT
    296. 

  296. 	successJSONResponse, jsonError := json.Marshal(successResponse)
    297. 

  297. 	if jsonError != nil {
    298. 

  298. 		logger.Log(0, username,
    299. 

  299. 			"error marshalling resp: ", jsonError.Error())
    300. 

  300. 		logic.ReturnErrorResponse(response, request, errorResponse)
    301. 

  301. 		return
    302. 

  302. 	}
    303. 

  303. 	logger.Log(2, username, "was authenticated")
    304. 

  304. 	response.Header().Set("Content-Type", "application/json")
    305. 

  305. 	response.Write(successJSONResponse)
    306. 

  306. 

  307. 	go func() {
    308. 

  308. 		if servercfg.IsPro && servercfg.GetRacAutoDisable() {
    309. 

  309. 			// enable all associeated clients for the user
    310. 

  310. 			clients, err := logic.GetAllExtClients()
    311. 

  311. 			if err != nil {
    312. 

  312. 				slog.Error("error getting clients: ", "error", err)
    313. 

  313. 				return
    314. 

  314. 			}
    315. 

  315. 			for _, client := range clients {
    316. 

  316. 				if client.OwnerID == username && !client.Enabled {
    317. 

  317. 					slog.Info(
    318. 

  318. 						fmt.Sprintf(
    319. 

  319. 							"enabling ext client %s for user %s due to RAC autodisabling feature",
    320. 

  320. 							client.ClientID,
    321. 

  321. 							client.OwnerID,
    322. 

  322. 						),
    323. 

  323. 					)
    324. 

  324. 					if newClient, err := logic.ToggleExtClientConnectivity(&client, true); err != nil {
    325. 

  325. 						slog.Error(
    326. 

  326. 							"error enabling ext client in RAC autodisable hook",
    327. 

  327. 							"error",
    328. 

  328. 							err,
    329. 

  329. 						)
    330. 

  330. 						continue // dont return but try for other clients
    331. 

  331. 					} else {
    332. 

  332. 						// publish peer update to ingress gateway
    333. 

  333. 						if ingressNode, err := logic.GetNodeByID(newClient.IngressGatewayID); err == nil {
    334. 

  334. 							if err = mq.PublishPeerUpdate(false); err != nil {
    335. 

  335. 								slog.Error("error updating ext clients on", "ingress", ingressNode.ID.String(), "err", err.Error())
    336. 

  336. 							}
    337. 

  337. 						}
    338. 

  338. 					}
    339. 

  339. 				}
    340. 

  340. 			}
    341. 

  341. 		}
    342. 

  342. 	}()
    343. 

  343. }
    344. 

  344. 

  345. // @Summary     Check if the server has a super admin
    346. 

  346. // @Router      /api/users/adm/hassuperadmin [get]
    347. 

  347. // @Tags        Users
    348. 

  348. // @Success     200 {object} bool
    349. 

  349. // @Failure     500 {object} models.ErrorResponse
    350. 

  350. func hasSuperAdmin(w http.ResponseWriter, r *http.Request) {
    351. 

  351. 

  352. 	w.Header().Set("Content-Type", "application/json")
    353. 

  353. 

  354. 	hasSuperAdmin, err := logic.HasSuperAdmin()
    355. 

  355. 	if err != nil {
    356. 

  356. 		logger.Log(0, "failed to check for admin: ", err.Error())
    357. 

  357. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    358. 

  358. 		return
    359. 

  359. 	}
    360. 

  360. 

  361. 	json.NewEncoder(w).Encode(hasSuperAdmin)
    362. 

  362. 

  363. }
    364. 

  364. 

  365. // @Summary     Get an individual user
    366. 

  366. // @Router      /api/users/{username} [get]
    367. 

  367. // @Tags        Users
    368. 

  368. // @Param       username path string true "Username of the user to fetch"
    369. 

  369. // @Success     200 {object} models.User
    370. 

  370. // @Failure     500 {object} models.ErrorResponse
    371. 

  371. func getUser(w http.ResponseWriter, r *http.Request) {
    372. 

  372. 	// set header.
    373. 

  373. 	w.Header().Set("Content-Type", "application/json")
    374. 

  374. 

  375. 	var params = mux.Vars(r)
    376. 

  376. 	usernameFetched := params["username"]
    377. 

  377. 	user, err := logic.GetReturnUser(usernameFetched)
    378. 

  378. 

  379. 	if err != nil {
    380. 

  380. 		logger.Log(0, usernameFetched, "failed to fetch user: ", err.Error())
    381. 

  381. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    382. 

  382. 		return
    383. 

  383. 	}
    384. 

  384. 	logger.Log(2, r.Header.Get("user"), "fetched user", usernameFetched)
    385. 

  385. 	json.NewEncoder(w).Encode(user)
    386. 

  386. }
    387. 

  387. 

  388. // swagger:route GET /api/v1/users user getUserV1
    389. 

  389. //
    390. 

  390. // Get an individual user with role info.
    391. 

  391. //
    392. 

  392. //			Schemes: https
    393. 

  393. //
    394. 

  394. //			Security:
    395. 

  395. //	  		oauth
    396. 

  396. //
    397. 

  397. //			Responses:
    398. 

  398. //				200: ReturnUserWithRolesAndGroups
    399. 

  399. func getUserV1(w http.ResponseWriter, r *http.Request) {
    400. 

  400. 	// set header.
    401. 

  401. 	w.Header().Set("Content-Type", "application/json")
    402. 

  402. 	usernameFetched := r.URL.Query().Get("username")
    403. 

  403. 	if usernameFetched == "" {
    404. 

  404. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("username is required"), "badrequest"))
    405. 

  405. 		return
    406. 

  406. 	}
    407. 

  407. 	user, err := logic.GetReturnUser(usernameFetched)
    408. 

  408. 	if err != nil {
    409. 

  409. 		logger.Log(0, usernameFetched, "failed to fetch user: ", err.Error())
    410. 

  410. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    411. 

  411. 		return
    412. 

  412. 	}
    413. 

  413. 	userRoleTemplate, err := logic.GetRole(user.PlatformRoleID)
    414. 

  414. 	if err != nil {
    415. 

  415. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    416. 

  416. 		return
    417. 

  417. 	}
    418. 

  418. 	resp := models.ReturnUserWithRolesAndGroups{
    419. 

  419. 		ReturnUser:   user,
    420. 

  420. 		PlatformRole: userRoleTemplate,
    421. 

  421. 		UserGroups:   map[models.UserGroupID]models.UserGroup{},
    422. 

  422. 	}
    423. 

  423. 	for gId := range user.UserGroups {
    424. 

  424. 		grp, err := logic.GetUserGroup(gId)
    425. 

  425. 		if err != nil {
    426. 

  426. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    427. 

  427. 			return
    428. 

  428. 		}
    429. 

  429. 		resp.UserGroups[gId] = grp
    430. 

  430. 	}
    431. 

  431. 	logger.Log(2, r.Header.Get("user"), "fetched user", usernameFetched)
    432. 

  432. 	logic.ReturnSuccessResponseWithJson(w, r, resp, "fetched user with role info")
    433. 

  433. }
    434. 

  434. 

  435. // swagger:route GET /api/users user getUsers
    436. 

  436. //
    437. 

  437. // Get all users.
    438. 

  438. //
    439. 

  439. //			Schemes: https
    440. 

  440. //
    441. 

  441. //			Security:
    442. 

  442. //	  		oauth
    443. 

  443. //
    444. 

  444. //			Responses:
    445. 

  445. //				200: userBodyResponse
    446. 

  446. func getUsers(w http.ResponseWriter, r *http.Request) {
    447. 

  447. 	// set header.
    448. 

  448. 	w.Header().Set("Content-Type", "application/json")
    449. 

  449. 

  450. 	users, err := logic.GetUsers()
    451. 

  451. 

  452. 	if err != nil {
    453. 

  453. 		logger.Log(0, "failed to fetch users: ", err.Error())
    454. 

  454. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    455. 

  455. 		return
    456. 

  456. 	}
    457. 

  457. 

  458. 	logic.SortUsers(users[:])
    459. 

  459. 	logger.Log(2, r.Header.Get("user"), "fetched users")
    460. 

  460. 	json.NewEncoder(w).Encode(users)
    461. 

  461. }
    462. 

  462. 

  463. // @Summary     Create a super admin
    464. 

  464. // @Router      /api/users/adm/createsuperadmin [post]
    465. 

  465. // @Tags        Users
    466. 

  466. // @Param       body body models.User true "User details"
    467. 

  467. // @Success     200 {object} models.User
    468. 

  468. // @Failure     400 {object} models.ErrorResponse
    469. 

  469. // @Failure     500 {object} models.ErrorResponse
    470. 

  470. func createSuperAdmin(w http.ResponseWriter, r *http.Request) {
    471. 

  471. 	w.Header().Set("Content-Type", "application/json")
    472. 

  472. 

  473. 	var u models.User
    474. 

  474. 

  475. 	err := json.NewDecoder(r.Body).Decode(&u)
    476. 

  476. 	if err != nil {
    477. 

  477. 		slog.Error("error decoding request body", "error", err.Error())
    478. 

  478. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    479. 

  479. 		return
    480. 

  480. 	}
    481. 

  481. 

  482. 	if !servercfg.IsBasicAuthEnabled() {
    483. 

  483. 		logic.ReturnErrorResponse(
    484. 

  484. 			w,
    485. 

  485. 			r,
    486. 

  486. 			logic.FormatError(fmt.Errorf("basic auth is disabled"), "badrequest"),
    487. 

  487. 		)
    488. 

  488. 		return
    489. 

  489. 	}
    490. 

  490. 

  491. 	err = logic.CreateSuperAdmin(&u)
    492. 

  492. 	if err != nil {
    493. 

  493. 		slog.Error("failed to create admin", "error", err.Error())
    494. 

  494. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    495. 

  495. 		return
    496. 

  496. 	}
    497. 

  497. 	logger.Log(1, u.UserName, "was made a super admin")
    498. 

  498. 	json.NewEncoder(w).Encode(logic.ToReturnUser(u))
    499. 

  499. }
    500. 

  500. 

  501. // @Summary     Transfer super admin role to another admin user
    502. 

  502. // @Router      /api/users/adm/transfersuperadmin/{username} [post]
    503. 

  503. // @Tags        Users
    504. 

  504. // @Param       username path string true "Username of the user to transfer super admin role"
    505. 

  505. // @Success     200 {object} models.User
    506. 

  506. // @Failure     403 {object} models.ErrorResponse
    507. 

  507. // @Failure     500 {object} models.ErrorResponse
    508. 

  508. func transferSuperAdmin(w http.ResponseWriter, r *http.Request) {
    509. 

  509. 	w.Header().Set("Content-Type", "application/json")
    510. 

  510. 	caller, err := logic.GetUser(r.Header.Get("user"))
    511. 

  511. 	if err != nil {
    512. 

  512. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    513. 

  513. 	}
    514. 

  514. 	if caller.PlatformRoleID != models.SuperAdminRole {
    515. 

  515. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("only superadmin can assign the superadmin role to another user"), "forbidden"))
    516. 

  516. 		return
    517. 

  517. 	}
    518. 

  518. 	var params = mux.Vars(r)
    519. 

  519. 	username := params["username"]
    520. 

  520. 	u, err := logic.GetUser(username)
    521. 

  521. 	if err != nil {
    522. 

  522. 		slog.Error("error getting user", "user", u.UserName, "error", err.Error())
    523. 

  523. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    524. 

  524. 		return
    525. 

  525. 	}
    526. 

  526. 	if u.PlatformRoleID != models.AdminRole {
    527. 

  527. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("only admins can be promoted to superadmin role"), "forbidden"))
    528. 

  528. 		return
    529. 

  529. 	}
    530. 

  530. 	if !servercfg.IsBasicAuthEnabled() {
    531. 

  531. 		logic.ReturnErrorResponse(
    532. 

  532. 			w,
    533. 

  533. 			r,
    534. 

  534. 			logic.FormatError(fmt.Errorf("basic auth is disabled"), "badrequest"),
    535. 

  535. 		)
    536. 

  536. 		return
    537. 

  537. 	}
    538. 

  538. 

  539. 	u.PlatformRoleID = models.SuperAdminRole
    540. 

  540. 	err = logic.UpsertUser(*u)
    541. 

  541. 	if err != nil {
    542. 

  542. 		slog.Error("error updating user to superadmin: ", "user", u.UserName, "error", err.Error())
    543. 

  543. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    544. 

  544. 		return
    545. 

  545. 	}
    546. 

  546. 	caller.PlatformRoleID = models.AdminRole
    547. 

  547. 	err = logic.UpsertUser(*caller)
    548. 

  548. 	if err != nil {
    549. 

  549. 		slog.Error("error demoting user to admin: ", "user", caller.UserName, "error", err.Error())
    550. 

  550. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    551. 

  551. 		return
    552. 

  552. 	}
    553. 

  553. 	slog.Info("user was made a super admin", "user", u.UserName)
    554. 

  554. 	json.NewEncoder(w).Encode(logic.ToReturnUser(*u))
    555. 

  555. }
    556. 

  556. 

  557. // @Summary     Create a user
    558. 

  558. // @Router      /api/users/{username} [post]
    559. 

  559. // @Tags        Users
    560. 

  560. // @Param       username path string true "Username of the user to create"
    561. 

  561. // @Param       body body models.User true "User details"
    562. 

  562. // @Success     200 {object} models.User
    563. 

  563. // @Failure     400 {object} models.ErrorResponse
    564. 

  564. // @Failure     403 {object} models.ErrorResponse
    565. 

  565. // @Failure     500 {object} models.ErrorResponse
    566. 

  566. func createUser(w http.ResponseWriter, r *http.Request) {
    567. 

  567. 	w.Header().Set("Content-Type", "application/json")
    568. 

  568. 	caller, err := logic.GetUser(r.Header.Get("user"))
    569. 

  569. 	if err != nil {
    570. 

  570. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    571. 

  571. 		return
    572. 

  572. 	}
    573. 

  573. 	var user models.User
    574. 

  574. 	err = json.NewDecoder(r.Body).Decode(&user)
    575. 

  575. 	if err != nil {
    576. 

  576. 		logger.Log(0, user.UserName, "error decoding request body: ",
    577. 

  577. 			err.Error())
    578. 

  578. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    579. 

  579. 		return
    580. 

  580. 	}
    581. 

  581. 	if !servercfg.IsPro {
    582. 

  582. 		user.PlatformRoleID = models.AdminRole
    583. 

  583. 	}
    584. 

  584. 

  585. 	if user.PlatformRoleID == "" {
    586. 

  586. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("platform role is missing"), "badrequest"))
    587. 

  587. 		return
    588. 

  588. 	}
    589. 

  589. 	userRole, err := logic.GetRole(user.PlatformRoleID)
    590. 

  590. 	if err != nil {
    591. 

  591. 		err = errors.New("error fetching role " + user.PlatformRoleID.String() + " " + err.Error())
    592. 

  592. 		slog.Error("error creating new user: ", "user", user.UserName, "error", err)
    593. 

  593. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    594. 

  594. 		return
    595. 

  595. 	}
    596. 

  596. 	if userRole.ID == models.SuperAdminRole {
    597. 

  597. 		err = errors.New("additional superadmins cannot be created")
    598. 

  598. 		slog.Error("error creating new user: ", "user", user.UserName, "error", err)
    599. 

  599. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    600. 

  600. 		return
    601. 

  601. 	}
    602. 

  602. 

  603. 	if caller.PlatformRoleID != models.SuperAdminRole && user.PlatformRoleID == models.AdminRole {
    604. 

  604. 		err = errors.New("only superadmin can create admin users")
    605. 

  605. 		slog.Error("error creating new user: ", "user", user.UserName, "error", err)
    606. 

  606. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    607. 

  607. 		return
    608. 

  608. 	}
    609. 

  609. 

  610. 	if !servercfg.IsPro && user.PlatformRoleID != models.AdminRole {
    611. 

  611. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("non-admins users can only be created on Pro version"), "forbidden"))
    612. 

  612. 		return
    613. 

  613. 	}
    614. 

  614. 

  615. 	err = logic.CreateUser(&user)
    616. 

  616. 	if err != nil {
    617. 

  617. 		slog.Error("error creating new user: ", "user", user.UserName, "error", err.Error())
    618. 

  618. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    619. 

  619. 		return
    620. 

  620. 	}
    621. 

  621. 	logic.DeleteUserInvite(user.UserName)
    622. 

  622. 	logic.DeletePendingUser(user.UserName)
    623. 

  623. 	go mq.PublishPeerUpdate(false)
    624. 

  624. 	slog.Info("user was created", "username", user.UserName)
    625. 

  625. 	json.NewEncoder(w).Encode(logic.ToReturnUser(user))
    626. 

  626. }
    627. 

  627. 

  628. // @Summary     Update a user
    629. 

  629. // @Router      /api/users/{username} [put]
    630. 

  630. // @Tags        Users
    631. 

  631. // @Param       username path string true "Username of the user to update"
    632. 

  632. // @Param       body body models.User true "User details"
    633. 

  633. // @Success     200 {object} models.User
    634. 

  634. // @Failure     400 {object} models.ErrorResponse
    635. 

  635. // @Failure     403 {object} models.ErrorResponse
    636. 

  636. // @Failure     500 {object} models.ErrorResponse
    637. 

  637. func updateUser(w http.ResponseWriter, r *http.Request) {
    638. 

  638. 	w.Header().Set("Content-Type", "application/json")
    639. 

  639. 	var params = mux.Vars(r)
    640. 

  640. 	// start here
    641. 

  641. 	var caller *models.User
    642. 

  642. 	var err error
    643. 

  643. 	var ismaster bool
    644. 

  644. 	if r.Header.Get("user") == logic.MasterUser {
    645. 

  645. 		ismaster = true
    646. 

  646. 	} else {
    647. 

  647. 		caller, err = logic.GetUser(r.Header.Get("user"))
    648. 

  648. 		if err != nil {
    649. 

  649. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    650. 

  650. 		}
    651. 

  651. 	}
    652. 

  652. 

  653. 	username := params["username"]
    654. 

  654. 	user, err := logic.GetUser(username)
    655. 

  655. 	if err != nil {
    656. 

  656. 		logger.Log(0, username,
    657. 

  657. 			"failed to update user info: ", err.Error())
    658. 

  658. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    659. 

  659. 		return
    660. 

  660. 	}
    661. 

  661. 	var userchange models.User
    662. 

  662. 	// we decode our body request params
    663. 

  663. 	err = json.NewDecoder(r.Body).Decode(&userchange)
    664. 

  664. 	if err != nil {
    665. 

  665. 		slog.Error("failed to decode body", "error ", err.Error())
    666. 

  666. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    667. 

  667. 		return
    668. 

  668. 	}
    669. 

  669. 	if user.UserName != userchange.UserName {
    670. 

  670. 		logic.ReturnErrorResponse(
    671. 

  671. 			w,
    672. 

  672. 			r,
    673. 

  673. 			logic.FormatError(
    674. 

  674. 				errors.New("user in param and request body not matching"),
    675. 

  675. 				"badrequest",
    676. 

  676. 			),
    677. 

  677. 		)
    678. 

  678. 		return
    679. 

  679. 	}
    680. 

  680. 	selfUpdate := false
    681. 

  681. 	if !ismaster && caller.UserName == user.UserName {
    682. 

  682. 		selfUpdate = true
    683. 

  683. 	}
    684. 

  684. 

  685. 	if !ismaster && !selfUpdate {
    686. 

  686. 		if caller.PlatformRoleID == models.AdminRole && user.PlatformRoleID == models.SuperAdminRole {
    687. 

  687. 			slog.Error("non-superadmin user", "caller", caller.UserName, "attempted to update superadmin user", username)
    688. 

  688. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot update superadmin user"), "forbidden"))
    689. 

  689. 			return
    690. 

  690. 		}
    691. 

  691. 		if caller.PlatformRoleID != models.AdminRole && caller.PlatformRoleID != models.SuperAdminRole {
    692. 

  692. 			slog.Error("operation not allowed", "caller", caller.UserName, "attempted to update user", username)
    693. 

  693. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot update superadmin user"), "forbidden"))
    694. 

  694. 			return
    695. 

  695. 		}
    696. 

  696. 		if caller.PlatformRoleID == models.AdminRole && user.PlatformRoleID == models.AdminRole {
    697. 

  697. 			slog.Error("admin user cannot update another admin", "caller", caller.UserName, "attempted to update admin user", username)
    698. 

  698. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("admin user cannot update another admin"), "forbidden"))
    699. 

  699. 			return
    700. 

  700. 		}
    701. 

  701. 		if caller.PlatformRoleID == models.AdminRole && userchange.PlatformRoleID == models.AdminRole {
    702. 

  702. 			err = errors.New("admin user cannot update role of an another user to admin")
    703. 

  703. 			slog.Error(
    704. 

  704. 				"failed to update user",
    705. 

  705. 				"caller",
    706. 

  706. 				caller.UserName,
    707. 

  707. 				"attempted to update user",
    708. 

  708. 				username,
    709. 

  709. 				"error",
    710. 

  710. 				err,
    711. 

  711. 			)
    712. 

  712. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    713. 

  713. 			return
    714. 

  714. 		}
    715. 

  715. 

  716. 	}
    717. 

  717. 	if !ismaster && selfUpdate {
    718. 

  718. 		if user.PlatformRoleID != userchange.PlatformRoleID {
    719. 

  719. 			slog.Error("user cannot change his own role", "caller", caller.UserName, "attempted to update user role", username)
    720. 

  720. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("user not allowed to self assign role"), "forbidden"))
    721. 

  721. 			return
    722. 

  722. 

  723. 		}
    724. 

  724. 		if servercfg.IsPro {
    725. 

  725. 			// user cannot update his own roles and groups
    726. 

  726. 			if len(user.NetworkRoles) != len(userchange.NetworkRoles) || !reflect.DeepEqual(user.NetworkRoles, userchange.NetworkRoles) {
    727. 

  727. 				err = errors.New("user cannot update self update their network roles")
    728. 

  728. 				slog.Error("failed to update user", "caller", caller.UserName, "attempted to update user", username, "error", err)
    729. 

  729. 				logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    730. 

  730. 				return
    731. 

  731. 			}
    732. 

  732. 			// user cannot update his own roles and groups
    733. 

  733. 			if len(user.UserGroups) != len(userchange.UserGroups) || !reflect.DeepEqual(user.UserGroups, userchange.UserGroups) {
    734. 

  734. 				err = errors.New("user cannot update self update their groups")
    735. 

  735. 				slog.Error("failed to update user", "caller", caller.UserName, "attempted to update user", username, "error", err)
    736. 

  736. 				logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    737. 

  737. 				return
    738. 

  738. 			}
    739. 

  739. 		}
    740. 

  740. 

  741. 	}
    742. 

  742. 	if ismaster {
    743. 

  743. 		if user.PlatformRoleID != models.SuperAdminRole && userchange.PlatformRoleID == models.SuperAdminRole {
    744. 

  744. 			slog.Error("operation not allowed", "caller", logic.MasterUser, "attempted to update user role to superadmin", username)
    745. 

  745. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("attempted to update user role to superadmin"), "forbidden"))
    746. 

  746. 			return
    747. 

  747. 		}
    748. 

  748. 	}
    749. 

  749. 

  750. 	if logic.IsOauthUser(user) == nil && userchange.Password != "" {
    751. 

  751. 		err := fmt.Errorf("cannot update user's password for an oauth user %s", username)
    752. 

  752. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    753. 

  753. 		return
    754. 

  754. 	}
    755. 

  755. 	logic.AddGlobalNetRolesToAdmins(&userchange)
    756. 

  756. 	if userchange.PlatformRoleID != user.PlatformRoleID || !logic.CompareMaps(user.UserGroups, userchange.UserGroups) {
    757. 

  757. 		(&schema.UserAccessToken{UserName: user.UserName}).DeleteAllUserTokens()
    758. 

  758. 	}
    759. 

  759. 	user, err = logic.UpdateUser(&userchange, user)
    760. 

  760. 	if err != nil {
    761. 

  761. 		logger.Log(0, username,
    762. 

  762. 			"failed to update user info: ", err.Error())
    763. 

  763. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    764. 

  764. 		return
    765. 

  765. 	}
    766. 

  766. 	go mq.PublishPeerUpdate(false)
    767. 

  767. 	logger.Log(1, username, "was updated")
    768. 

  768. 	json.NewEncoder(w).Encode(logic.ToReturnUser(*user))
    769. 

  769. }
    770. 

  770. 

  771. // @Summary     Delete a user
    772. 

  772. // @Router      /api/users/{username} [delete]
    773. 

  773. // @Tags        Users
    774. 

  774. // @Param       username path string true "Username of the user to delete"
    775. 

  775. // @Success     200 {string} string
    776. 

  776. // @Failure     500 {object} models.ErrorResponse
    777. 

  777. func deleteUser(w http.ResponseWriter, r *http.Request) {
    778. 

  778. 	// Set header
    779. 

  779. 	w.Header().Set("Content-Type", "application/json")
    780. 

  780. 

  781. 	// get params
    782. 

  782. 	var params = mux.Vars(r)
    783. 

  783. 	caller, err := logic.GetUser(r.Header.Get("user"))
    784. 

  784. 	if err != nil {
    785. 

  785. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    786. 

  786. 	}
    787. 

  787. 	callerUserRole, err := logic.GetRole(caller.PlatformRoleID)
    788. 

  788. 	if err != nil {
    789. 

  789. 		slog.Error("failed to get role ", "role", callerUserRole.ID, "error", err)
    790. 

  790. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    791. 

  791. 		return
    792. 

  792. 	}
    793. 

  793. 	username := params["username"]
    794. 

  794. 	user, err := logic.GetUser(username)
    795. 

  795. 	if err != nil {
    796. 

  796. 		logger.Log(0, username,
    797. 

  797. 			"failed to update user info: ", err.Error())
    798. 

  798. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    799. 

  799. 		return
    800. 

  800. 	}
    801. 

  801. 	userRole, err := logic.GetRole(user.PlatformRoleID)
    802. 

  802. 	if err != nil {
    803. 

  803. 		slog.Error("failed to get role ", "role", userRole.ID, "error", err)
    804. 

  804. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    805. 

  805. 		return
    806. 

  806. 	}
    807. 

  807. 	if userRole.ID == models.SuperAdminRole {
    808. 

  808. 		slog.Error(
    809. 

  809. 			"failed to delete user: ", "user", username, "error", "superadmin cannot be deleted")
    810. 

  810. 		logic.ReturnErrorResponse(
    811. 

  811. 			w,
    812. 

  812. 			r,
    813. 

  813. 			logic.FormatError(fmt.Errorf("superadmin cannot be deleted"), "internal"),
    814. 

  814. 		)
    815. 

  815. 		return
    816. 

  816. 	}
    817. 

  817. 	if callerUserRole.ID != models.SuperAdminRole {
    818. 

  818. 		if callerUserRole.ID == models.AdminRole && userRole.ID == models.AdminRole {
    819. 

  819. 			slog.Error(
    820. 

  820. 				"failed to delete user: ",
    821. 

  821. 				"user",
    822. 

  822. 				username,
    823. 

  823. 				"error",
    824. 

  824. 				"admin cannot delete another admin user, including oneself",
    825. 

  825. 			)
    826. 

  826. 			logic.ReturnErrorResponse(
    827. 

  827. 				w,
    828. 

  828. 				r,
    829. 

  829. 				logic.FormatError(
    830. 

  830. 					fmt.Errorf("admin cannot delete another admin user, including oneself"),
    831. 

  831. 					"internal",
    832. 

  832. 				),
    833. 

  833. 			)
    834. 

  834. 			return
    835. 

  835. 		}
    836. 

  836. 	}
    837. 

  837. 	err = logic.DeleteUser(username)
    838. 

  838. 	if err != nil {
    839. 

  839. 		logger.Log(0, username,
    840. 

  840. 			"failed to delete user: ", err.Error())
    841. 

  841. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    842. 

  842. 		return
    843. 

  843. 	}
    844. 

  844. 	// check and delete extclient with this ownerID
    845. 

  845. 	go func() {
    846. 

  846. 		extclients, err := logic.GetAllExtClients()
    847. 

  847. 		if err != nil {
    848. 

  848. 			slog.Error("failed to get extclients", "error", err)
    849. 

  849. 			return
    850. 

  850. 		}
    851. 

  851. 		for _, extclient := range extclients {
    852. 

  852. 			if extclient.OwnerID == user.UserName {
    853. 

  853. 				err = logic.DeleteExtClientAndCleanup(extclient)
    854. 

  854. 				if err != nil {
    855. 

  855. 					slog.Error("failed to delete extclient",
    856. 

  856. 						"id", extclient.ClientID, "owner", username, "error", err)
    857. 

  857. 				} else {
    858. 

  858. 					if err := mq.PublishDeletedClientPeerUpdate(&extclient); err != nil {
    859. 

  859. 						slog.Error("error setting ext peers: " + err.Error())
    860. 

  860. 					}
    861. 

  861. 				}
    862. 

  862. 			}
    863. 

  863. 		}
    864. 

  864. 		mq.PublishPeerUpdate(false)
    865. 

  865. 		if servercfg.IsDNSMode() {
    866. 

  866. 			logic.SetDNS()
    867. 

  867. 		}
    868. 

  868. 	}()
    869. 

  869. 	logger.Log(1, username, "was deleted")
    870. 

  870. 	json.NewEncoder(w).Encode(params["username"] + " deleted.")
    871. 

  871. }
    872. 

  872. 

  873. // Called when vpn client dials in to start the auth flow and first stage is to get register URL itself
    874. 

  874. func socketHandler(w http.ResponseWriter, r *http.Request) {
    875. 

  875. 	// Upgrade our raw HTTP connection to a websocket based one
    876. 

  876. 	conn, err := upgrader.Upgrade(w, r, nil)
    877. 

  877. 	if err != nil {
    878. 

  878. 		logger.Log(0, "error during connection upgrade for node sign-in:", err.Error())
    879. 

  879. 		return
    880. 

  880. 	}
    881. 

  881. 	if conn == nil {
    882. 

  882. 		logger.Log(0, "failed to establish web-socket connection during node sign-in")
    883. 

  883. 		return
    884. 

  884. 	}
    885. 

  885. 	// Start handling the session
    886. 

  886. 	go auth.SessionHandler(conn)
    887. 

  887. }
    888. 

  888. 

  889. // @Summary     lists all user roles.
    890. 

  890. // @Router      /api/v1/user/roles [get]
    891. 

  891. // @Tags        Users
    892. 

  892. // @Param       role_id query string true "roleid required to get the role details"
    893. 

  893. // @Success     200 {object}  []models.UserRolePermissionTemplate
    894. 

  894. // @Failure     500 {object} models.ErrorResponse
    895. 

  895. func listRoles(w http.ResponseWriter, r *http.Request) {
    896. 

  896. 	var roles []models.UserRolePermissionTemplate
    897. 

  897. 	var err error
    898. 

  898. 	roles, err = logic.ListPlatformRoles()
    899. 

  899. 	if err != nil {
    900. 

  900. 		logic.ReturnErrorResponse(w, r, models.ErrorResponse{
    901. 

  901. 			Code:    http.StatusInternalServerError,
    902. 

  902. 			Message: err.Error(),
    903. 

  903. 		})
    904. 

  904. 		return
    905. 

  905. 	}
    906. 

  906. 

  907. 	logic.ReturnSuccessResponseWithJson(w, r, roles, "successfully fetched user roles permission templates")
    908. 

  908. }
    909.