首页 发现 帮助
登录
golang
/
netmaker
镜像自地址 https://github.com/gravitl/netmaker
2
0
派生 0
文件 工单管理 0 Wiki
分支: NET-2000
分支列表 标签列表
netmaker
/
controllers
/
user.go

user.go 30 KB
永久链接 文件历史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870 
  1. package controller
    2. 

  2. 

  3. import (
    4. 

  4. 	"encoding/json"
    5. 

  5. 	"errors"
    6. 

  6. 	"fmt"
    7. 

  7. 	"net/http"
    8. 

  8. 	"reflect"
    9. 

  9. 

  10. 	"github.com/gorilla/mux"
    11. 

  11. 	"github.com/gorilla/websocket"
    12. 

  12. 	"github.com/gravitl/netmaker/auth"
    13. 

  13. 	"github.com/gravitl/netmaker/logger"
    14. 

  14. 	"github.com/gravitl/netmaker/logic"
    15. 

  15. 	"github.com/gravitl/netmaker/models"
    16. 

  16. 	"github.com/gravitl/netmaker/mq"
    17. 

  17. 	"github.com/gravitl/netmaker/servercfg"
    18. 

  18. 	"golang.org/x/exp/slog"
    19. 

  19. )
    20. 

  20. 

  21. var (
    22. 

  22. 	upgrader = websocket.Upgrader{}
    23. 

  23. )
    24. 

  24. 

  25. var ListRoles = listRoles
    26. 

  26. 

  27. func userHandlers(r *mux.Router) {
    28. 

  28. 	r.HandleFunc("/api/users/adm/hassuperadmin", hasSuperAdmin).Methods(http.MethodGet)
    29. 

  29. 	r.HandleFunc("/api/users/adm/createsuperadmin", createSuperAdmin).Methods(http.MethodPost)
    30. 

  30. 	r.HandleFunc("/api/users/adm/transfersuperadmin/{username}", logic.SecurityCheck(true, http.HandlerFunc(transferSuperAdmin))).
    31. 

  31. 		Methods(http.MethodPost)
    32. 

  32. 	r.HandleFunc("/api/users/adm/authenticate", authenticateUser).Methods(http.MethodPost)
    33. 

  33. 	r.HandleFunc("/api/users/{username}", logic.SecurityCheck(true, http.HandlerFunc(updateUser))).Methods(http.MethodPut)
    34. 

  34. 	r.HandleFunc("/api/users/{username}", logic.SecurityCheck(true, checkFreeTierLimits(limitChoiceUsers, http.HandlerFunc(createUser)))).Methods(http.MethodPost)
    35. 

  35. 	r.HandleFunc("/api/users/{username}", logic.SecurityCheck(true, http.HandlerFunc(deleteUser))).Methods(http.MethodDelete)
    36. 

  36. 	r.HandleFunc("/api/users/{username}", logic.SecurityCheck(false, logic.ContinueIfUserMatch(http.HandlerFunc(getUser)))).Methods(http.MethodGet)
    37. 

  37. 	r.HandleFunc("/api/v1/users", logic.SecurityCheck(false, logic.ContinueIfUserMatch(http.HandlerFunc(getUserV1)))).Methods(http.MethodGet)
    38. 

  38. 	r.HandleFunc("/api/users", logic.SecurityCheck(true, http.HandlerFunc(getUsers))).Methods(http.MethodGet)
    39. 

  39. 	r.HandleFunc("/api/v1/users/roles", logic.SecurityCheck(true, http.HandlerFunc(ListRoles))).Methods(http.MethodGet)
    40. 

  40. 	r.HandleFunc("/api/v1/users/access_token", logic.SecurityCheck(true, http.HandlerFunc(createUserAccessToken))).Methods(http.MethodPost)
    41. 

  41. 	r.HandleFunc("/api/v1/users/access_token", logic.SecurityCheck(true, http.HandlerFunc(getUserAccessTokens))).Methods(http.MethodGet)
    42. 

  42. 	r.HandleFunc("/api/v1/users/access_token", logic.SecurityCheck(true, http.HandlerFunc(deleteUserAccessTokens))).Methods(http.MethodDelete)
    43. 

  43. }
    44. 

  44. 

  45. // @Summary     Authenticate a user to retrieve an authorization token
    46. 

  46. // @Router      /api/v1/users/{username}/access_token [post]
    47. 

  47. // @Tags        Auth
    48. 

  48. // @Accept      json
    49. 

  49. // @Param       body body models.UserAuthParams true "Authentication parameters"
    50. 

  50. // @Success     200 {object} models.SuccessResponse
    51. 

  51. // @Failure     400 {object} models.ErrorResponse
    52. 

  52. // @Failure     401 {object} models.ErrorResponse
    53. 

  53. // @Failure     500 {object} models.ErrorResponse
    54. 

  54. func createUserAccessToken(w http.ResponseWriter, r *http.Request) {
    55. 

  55. 

  56. 	// Auth request consists of Mac Address and Password (from node that is authorizing
    57. 

  57. 	// in case of Master, auth is ignored and mac is set to "mastermac"
    58. 

  58. 	var req models.AccessToken
    59. 

  59. 

  60. 	err := json.NewDecoder(r.Body).Decode(&req)
    61. 

  61. 	if err != nil {
    62. 

  62. 		logger.Log(0, "error decoding request body: ",
    63. 

  63. 			err.Error())
    64. 

  64. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    65. 

  65. 		return
    66. 

  66. 	}
    67. 

  67. 	if req.Name == "" {
    68. 

  68. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("name is required"), "badrequest"))
    69. 

  69. 		return
    70. 

  70. 	}
    71. 

  71. 	if req.UserName == "" {
    72. 

  72. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("username is required"), "badrequest"))
    73. 

  73. 		return
    74. 

  74. 	}
    75. 

  75. 

  76. 	user, err := logic.GetUser(req.UserName)
    77. 

  77. 	if err != nil {
    78. 

  78. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "unauthorized"))
    79. 

  79. 		return
    80. 

  80. 	}
    81. 

  81. 	if logic.IsOauthUser(user) == nil {
    82. 

  82. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("user is registered via SSO"), "badrequest"))
    83. 

  83. 		return
    84. 

  84. 	}
    85. 

  85. 	jwt, err := logic.CreateUserJWTWithExpiry(user.UserName, user.PlatformRoleID, req.ExpiresAt)
    86. 

  86. 

  87. 	if jwt == "" {
    88. 

  88. 		// very unlikely that err is !nil and no jwt returned, but handle it anyways.
    89. 

  89. 		logic.ReturnErrorResponse(
    90. 

  90. 			w,
    91. 

  91. 			r,
    92. 

  92. 			logic.FormatError(errors.New("error creating access token "+err.Error()), "internal"),
    93. 

  93. 		)
    94. 

  94. 		return
    95. 

  95. 	}
    96. 

  96. 	err = logic.CreateAccessToken(req)
    97. 

  97. 	if err != nil {
    98. 

  98. 		logic.ReturnErrorResponse(
    99. 

  99. 			w,
    100. 

  100. 			r,
    101. 

  101. 			logic.FormatError(errors.New("error creating access token "+err.Error()), "internal"),
    102. 

  102. 		)
    103. 

  103. 		return
    104. 

  104. 	}
    105. 

  105. 	logic.ReturnSuccessResponseWithJson(w, r, models.SuccessfulUserLoginResponse{
    106. 

  106. 		AuthToken: jwt,
    107. 

  107. 		UserName:  req.UserName,
    108. 

  108. 	}, "api access token has generated for user "+req.UserName)
    109. 

  109. }
    110. 

  110. 

  111. // @Summary     Authenticate a user to retrieve an authorization token
    112. 

  112. // @Router      /api/v1/users/{username}/access_token [post]
    113. 

  113. // @Tags        Auth
    114. 

  114. // @Accept      json
    115. 

  115. // @Param       body body models.UserAuthParams true "Authentication parameters"
    116. 

  116. // @Success     200 {object} models.SuccessResponse
    117. 

  117. // @Failure     400 {object} models.ErrorResponse
    118. 

  118. // @Failure     401 {object} models.ErrorResponse
    119. 

  119. // @Failure     500 {object} models.ErrorResponse
    120. 

  120. func getUserAccessTokens(w http.ResponseWriter, r *http.Request) {
    121. 

  121. 	username := r.URL.Query().Get("username")
    122. 

  122. 	if username == "" {
    123. 

  123. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("username is required"), "badrequest"))
    124. 

  124. 		return
    125. 

  125. 	}
    126. 

  126. 	_, err := logic.GetUser(username)
    127. 

  127. 	if err != nil {
    128. 

  128. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "unauthorized"))
    129. 

  129. 		return
    130. 

  130. 	}
    131. 

  131. 

  132. 	logic.ReturnSuccessResponseWithJson(w, r, logic.ListAccessTokens(username), "fetched api access tokens for user "+username)
    133. 

  133. }
    134. 

  134. 

  135. // @Summary     Authenticate a user to retrieve an authorization token
    136. 

  136. // @Router      /api/v1/users/{username}/access_token [post]
    137. 

  137. // @Tags        Auth
    138. 

  138. // @Accept      json
    139. 

  139. // @Param       body body models.UserAuthParams true "Authentication parameters"
    140. 

  140. // @Success     200 {object} models.SuccessResponse
    141. 

  141. // @Failure     400 {object} models.ErrorResponse
    142. 

  142. // @Failure     401 {object} models.ErrorResponse
    143. 

  143. // @Failure     500 {object} models.ErrorResponse
    144. 

  144. func deleteUserAccessTokens(w http.ResponseWriter, r *http.Request) {
    145. 

  145. 	id := r.URL.Query().Get("id")
    146. 

  146. 	if id == "" {
    147. 

  147. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("id is required"), "badrequest"))
    148. 

  148. 		return
    149. 

  149. 	}
    150. 

  150. 

  151. 	err := logic.RevokeAccessToken(models.AccessToken{ID: id})
    152. 

  152. 	if err != nil {
    153. 

  153. 		logic.ReturnErrorResponse(
    154. 

  154. 			w,
    155. 

  155. 			r,
    156. 

  156. 			logic.FormatError(errors.New("error deleting access token "+err.Error()), "internal"),
    157. 

  157. 		)
    158. 

  158. 		return
    159. 

  159. 	}
    160. 

  160. 	logic.ReturnSuccessResponseWithJson(w, r, nil, "revoked access token")
    161. 

  161. }
    162. 

  162. 

  163. // @Summary     Authenticate a user to retrieve an authorization token
    164. 

  164. // @Router      /api/users/adm/authenticate [post]
    165. 

  165. // @Tags        Auth
    166. 

  166. // @Accept      json
    167. 

  167. // @Param       body body models.UserAuthParams true "Authentication parameters"
    168. 

  168. // @Success     200 {object} models.SuccessResponse
    169. 

  169. // @Failure     400 {object} models.ErrorResponse
    170. 

  170. // @Failure     401 {object} models.ErrorResponse
    171. 

  171. // @Failure     500 {object} models.ErrorResponse
    172. 

  172. func authenticateUser(response http.ResponseWriter, request *http.Request) {
    173. 

  173. 

  174. 	// Auth request consists of Mac Address and Password (from node that is authorizing
    175. 

  175. 	// in case of Master, auth is ignored and mac is set to "mastermac"
    176. 

  176. 	var authRequest models.UserAuthParams
    177. 

  177. 	var errorResponse = models.ErrorResponse{
    178. 

  178. 		Code: http.StatusInternalServerError, Message: "W1R3: It's not you it's me.",
    179. 

  179. 	}
    180. 

  180. 

  181. 	if !servercfg.IsBasicAuthEnabled() {
    182. 

  182. 		logic.ReturnErrorResponse(
    183. 

  183. 			response,
    184. 

  184. 			request,
    185. 

  185. 			logic.FormatError(fmt.Errorf("basic auth is disabled"), "badrequest"),
    186. 

  186. 		)
    187. 

  187. 		return
    188. 

  188. 	}
    189. 

  189. 

  190. 	decoder := json.NewDecoder(request.Body)
    191. 

  191. 	decoderErr := decoder.Decode(&authRequest)
    192. 

  192. 	defer request.Body.Close()
    193. 

  193. 	if decoderErr != nil {
    194. 

  194. 		logger.Log(0, "error decoding request body: ",
    195. 

  195. 			decoderErr.Error())
    196. 

  196. 		logic.ReturnErrorResponse(response, request, errorResponse)
    197. 

  197. 		return
    198. 

  198. 	}
    199. 

  199. 	if val := request.Header.Get("From-Ui"); val == "true" {
    200. 

  200. 		// request came from UI, if normal user block Login
    201. 

  201. 		user, err := logic.GetUser(authRequest.UserName)
    202. 

  202. 		if err != nil {
    203. 

  203. 			logger.Log(0, authRequest.UserName, "user validation failed: ",
    204. 

  204. 				err.Error())
    205. 

  205. 			logic.ReturnErrorResponse(response, request, logic.FormatError(err, "unauthorized"))
    206. 

  206. 			return
    207. 

  207. 		}
    208. 

  208. 		role, err := logic.GetRole(user.PlatformRoleID)
    209. 

  209. 		if err != nil {
    210. 

  210. 			logic.ReturnErrorResponse(response, request, logic.FormatError(errors.New("access denied to dashboard"), "unauthorized"))
    211. 

  211. 			return
    212. 

  212. 		}
    213. 

  213. 		if role.DenyDashboardAccess {
    214. 

  214. 			logic.ReturnErrorResponse(response, request, logic.FormatError(errors.New("access denied to dashboard"), "unauthorized"))
    215. 

  215. 			return
    216. 

  216. 		}
    217. 

  217. 	}
    218. 

  218. 	user, err := logic.GetUser(authRequest.UserName)
    219. 

  219. 	if err != nil {
    220. 

  220. 		logic.ReturnErrorResponse(response, request, logic.FormatError(err, "unauthorized"))
    221. 

  221. 		return
    222. 

  222. 	}
    223. 

  223. 	if logic.IsOauthUser(user) == nil {
    224. 

  224. 		logic.ReturnErrorResponse(response, request, logic.FormatError(errors.New("user is registered via SSO"), "badrequest"))
    225. 

  225. 		return
    226. 

  226. 	}
    227. 

  227. 	username := authRequest.UserName
    228. 

  228. 	jwt, err := logic.VerifyAuthRequest(authRequest)
    229. 

  229. 	if err != nil {
    230. 

  230. 		logger.Log(0, username, "user validation failed: ",
    231. 

  231. 			err.Error())
    232. 

  232. 		logic.ReturnErrorResponse(response, request, logic.FormatError(err, "badrequest"))
    233. 

  233. 		return
    234. 

  234. 	}
    235. 

  235. 

  236. 	if jwt == "" {
    237. 

  237. 		// very unlikely that err is !nil and no jwt returned, but handle it anyways.
    238. 

  238. 		logger.Log(0, username, "jwt token is empty")
    239. 

  239. 		logic.ReturnErrorResponse(
    240. 

  240. 			response,
    241. 

  241. 			request,
    242. 

  242. 			logic.FormatError(errors.New("no token returned"), "internal"),
    243. 

  243. 		)
    244. 

  244. 		return
    245. 

  245. 	}
    246. 

  246. 

  247. 	var successResponse = models.SuccessResponse{
    248. 

  248. 		Code:    http.StatusOK,
    249. 

  249. 		Message: "W1R3: Device " + username + " Authorized",
    250. 

  250. 		Response: models.SuccessfulUserLoginResponse{
    251. 

  251. 			AuthToken: jwt,
    252. 

  252. 			UserName:  username,
    253. 

  253. 		},
    254. 

  254. 	}
    255. 

  255. 	// Send back the JWT
    256. 

  256. 	successJSONResponse, jsonError := json.Marshal(successResponse)
    257. 

  257. 	if jsonError != nil {
    258. 

  258. 		logger.Log(0, username,
    259. 

  259. 			"error marshalling resp: ", jsonError.Error())
    260. 

  260. 		logic.ReturnErrorResponse(response, request, errorResponse)
    261. 

  261. 		return
    262. 

  262. 	}
    263. 

  263. 	logger.Log(2, username, "was authenticated")
    264. 

  264. 	response.Header().Set("Content-Type", "application/json")
    265. 

  265. 	response.Write(successJSONResponse)
    266. 

  266. 

  267. 	go func() {
    268. 

  268. 		if servercfg.IsPro && servercfg.GetRacAutoDisable() {
    269. 

  269. 			// enable all associeated clients for the user
    270. 

  270. 			clients, err := logic.GetAllExtClients()
    271. 

  271. 			if err != nil {
    272. 

  272. 				slog.Error("error getting clients: ", "error", err)
    273. 

  273. 				return
    274. 

  274. 			}
    275. 

  275. 			for _, client := range clients {
    276. 

  276. 				if client.OwnerID == username && !client.Enabled {
    277. 

  277. 					slog.Info(
    278. 

  278. 						fmt.Sprintf(
    279. 

  279. 							"enabling ext client %s for user %s due to RAC autodisabling feature",
    280. 

  280. 							client.ClientID,
    281. 

  281. 							client.OwnerID,
    282. 

  282. 						),
    283. 

  283. 					)
    284. 

  284. 					if newClient, err := logic.ToggleExtClientConnectivity(&client, true); err != nil {
    285. 

  285. 						slog.Error(
    286. 

  286. 							"error enabling ext client in RAC autodisable hook",
    287. 

  287. 							"error",
    288. 

  288. 							err,
    289. 

  289. 						)
    290. 

  290. 						continue // dont return but try for other clients
    291. 

  291. 					} else {
    292. 

  292. 						// publish peer update to ingress gateway
    293. 

  293. 						if ingressNode, err := logic.GetNodeByID(newClient.IngressGatewayID); err == nil {
    294. 

  294. 							if err = mq.PublishPeerUpdate(false); err != nil {
    295. 

  295. 								slog.Error("error updating ext clients on", "ingress", ingressNode.ID.String(), "err", err.Error())
    296. 

  296. 							}
    297. 

  297. 						}
    298. 

  298. 					}
    299. 

  299. 				}
    300. 

  300. 			}
    301. 

  301. 		}
    302. 

  302. 	}()
    303. 

  303. }
    304. 

  304. 

  305. // @Summary     Check if the server has a super admin
    306. 

  306. // @Router      /api/users/adm/hassuperadmin [get]
    307. 

  307. // @Tags        Users
    308. 

  308. // @Success     200 {object} bool
    309. 

  309. // @Failure     500 {object} models.ErrorResponse
    310. 

  310. func hasSuperAdmin(w http.ResponseWriter, r *http.Request) {
    311. 

  311. 

  312. 	w.Header().Set("Content-Type", "application/json")
    313. 

  313. 

  314. 	hasSuperAdmin, err := logic.HasSuperAdmin()
    315. 

  315. 	if err != nil {
    316. 

  316. 		logger.Log(0, "failed to check for admin: ", err.Error())
    317. 

  317. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    318. 

  318. 		return
    319. 

  319. 	}
    320. 

  320. 

  321. 	json.NewEncoder(w).Encode(hasSuperAdmin)
    322. 

  322. 

  323. }
    324. 

  324. 

  325. // @Summary     Get an individual user
    326. 

  326. // @Router      /api/users/{username} [get]
    327. 

  327. // @Tags        Users
    328. 

  328. // @Param       username path string true "Username of the user to fetch"
    329. 

  329. // @Success     200 {object} models.User
    330. 

  330. // @Failure     500 {object} models.ErrorResponse
    331. 

  331. func getUser(w http.ResponseWriter, r *http.Request) {
    332. 

  332. 	// set header.
    333. 

  333. 	w.Header().Set("Content-Type", "application/json")
    334. 

  334. 

  335. 	var params = mux.Vars(r)
    336. 

  336. 	usernameFetched := params["username"]
    337. 

  337. 	user, err := logic.GetReturnUser(usernameFetched)
    338. 

  338. 

  339. 	if err != nil {
    340. 

  340. 		logger.Log(0, usernameFetched, "failed to fetch user: ", err.Error())
    341. 

  341. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    342. 

  342. 		return
    343. 

  343. 	}
    344. 

  344. 	logger.Log(2, r.Header.Get("user"), "fetched user", usernameFetched)
    345. 

  345. 	json.NewEncoder(w).Encode(user)
    346. 

  346. }
    347. 

  347. 

  348. // swagger:route GET /api/v1/users user getUserV1
    349. 

  349. //
    350. 

  350. // Get an individual user with role info.
    351. 

  351. //
    352. 

  352. //			Schemes: https
    353. 

  353. //
    354. 

  354. //			Security:
    355. 

  355. //	  		oauth
    356. 

  356. //
    357. 

  357. //			Responses:
    358. 

  358. //				200: ReturnUserWithRolesAndGroups
    359. 

  359. func getUserV1(w http.ResponseWriter, r *http.Request) {
    360. 

  360. 	// set header.
    361. 

  361. 	w.Header().Set("Content-Type", "application/json")
    362. 

  362. 	usernameFetched := r.URL.Query().Get("username")
    363. 

  363. 	if usernameFetched == "" {
    364. 

  364. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("username is required"), "badrequest"))
    365. 

  365. 		return
    366. 

  366. 	}
    367. 

  367. 	user, err := logic.GetReturnUser(usernameFetched)
    368. 

  368. 	if err != nil {
    369. 

  369. 		logger.Log(0, usernameFetched, "failed to fetch user: ", err.Error())
    370. 

  370. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    371. 

  371. 		return
    372. 

  372. 	}
    373. 

  373. 	userRoleTemplate, err := logic.GetRole(user.PlatformRoleID)
    374. 

  374. 	if err != nil {
    375. 

  375. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    376. 

  376. 		return
    377. 

  377. 	}
    378. 

  378. 	resp := models.ReturnUserWithRolesAndGroups{
    379. 

  379. 		ReturnUser:   user,
    380. 

  380. 		PlatformRole: userRoleTemplate,
    381. 

  381. 		UserGroups:   map[models.UserGroupID]models.UserGroup{},
    382. 

  382. 	}
    383. 

  383. 	for gId := range user.UserGroups {
    384. 

  384. 		grp, err := logic.GetUserGroup(gId)
    385. 

  385. 		if err != nil {
    386. 

  386. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    387. 

  387. 			return
    388. 

  388. 		}
    389. 

  389. 		resp.UserGroups[gId] = grp
    390. 

  390. 	}
    391. 

  391. 	logger.Log(2, r.Header.Get("user"), "fetched user", usernameFetched)
    392. 

  392. 	logic.ReturnSuccessResponseWithJson(w, r, resp, "fetched user with role info")
    393. 

  393. }
    394. 

  394. 

  395. // swagger:route GET /api/users user getUsers
    396. 

  396. //
    397. 

  397. // Get all users.
    398. 

  398. //
    399. 

  399. //			Schemes: https
    400. 

  400. //
    401. 

  401. //			Security:
    402. 

  402. //	  		oauth
    403. 

  403. //
    404. 

  404. //			Responses:
    405. 

  405. //				200: userBodyResponse
    406. 

  406. func getUsers(w http.ResponseWriter, r *http.Request) {
    407. 

  407. 	// set header.
    408. 

  408. 	w.Header().Set("Content-Type", "application/json")
    409. 

  409. 

  410. 	users, err := logic.GetUsers()
    411. 

  411. 

  412. 	if err != nil {
    413. 

  413. 		logger.Log(0, "failed to fetch users: ", err.Error())
    414. 

  414. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    415. 

  415. 		return
    416. 

  416. 	}
    417. 

  417. 

  418. 	logic.SortUsers(users[:])
    419. 

  419. 	logger.Log(2, r.Header.Get("user"), "fetched users")
    420. 

  420. 	json.NewEncoder(w).Encode(users)
    421. 

  421. }
    422. 

  422. 

  423. // @Summary     Create a super admin
    424. 

  424. // @Router      /api/users/adm/createsuperadmin [post]
    425. 

  425. // @Tags        Users
    426. 

  426. // @Param       body body models.User true "User details"
    427. 

  427. // @Success     200 {object} models.User
    428. 

  428. // @Failure     400 {object} models.ErrorResponse
    429. 

  429. // @Failure     500 {object} models.ErrorResponse
    430. 

  430. func createSuperAdmin(w http.ResponseWriter, r *http.Request) {
    431. 

  431. 	w.Header().Set("Content-Type", "application/json")
    432. 

  432. 

  433. 	var u models.User
    434. 

  434. 

  435. 	err := json.NewDecoder(r.Body).Decode(&u)
    436. 

  436. 	if err != nil {
    437. 

  437. 		slog.Error("error decoding request body", "error", err.Error())
    438. 

  438. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    439. 

  439. 		return
    440. 

  440. 	}
    441. 

  441. 

  442. 	if !servercfg.IsBasicAuthEnabled() {
    443. 

  443. 		logic.ReturnErrorResponse(
    444. 

  444. 			w,
    445. 

  445. 			r,
    446. 

  446. 			logic.FormatError(fmt.Errorf("basic auth is disabled"), "badrequest"),
    447. 

  447. 		)
    448. 

  448. 		return
    449. 

  449. 	}
    450. 

  450. 

  451. 	err = logic.CreateSuperAdmin(&u)
    452. 

  452. 	if err != nil {
    453. 

  453. 		slog.Error("failed to create admin", "error", err.Error())
    454. 

  454. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    455. 

  455. 		return
    456. 

  456. 	}
    457. 

  457. 	logger.Log(1, u.UserName, "was made a super admin")
    458. 

  458. 	json.NewEncoder(w).Encode(logic.ToReturnUser(u))
    459. 

  459. }
    460. 

  460. 

  461. // @Summary     Transfer super admin role to another admin user
    462. 

  462. // @Router      /api/users/adm/transfersuperadmin/{username} [post]
    463. 

  463. // @Tags        Users
    464. 

  464. // @Param       username path string true "Username of the user to transfer super admin role"
    465. 

  465. // @Success     200 {object} models.User
    466. 

  466. // @Failure     403 {object} models.ErrorResponse
    467. 

  467. // @Failure     500 {object} models.ErrorResponse
    468. 

  468. func transferSuperAdmin(w http.ResponseWriter, r *http.Request) {
    469. 

  469. 	w.Header().Set("Content-Type", "application/json")
    470. 

  470. 	caller, err := logic.GetUser(r.Header.Get("user"))
    471. 

  471. 	if err != nil {
    472. 

  472. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    473. 

  473. 	}
    474. 

  474. 	if caller.PlatformRoleID != models.SuperAdminRole {
    475. 

  475. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("only superadmin can assign the superadmin role to another user"), "forbidden"))
    476. 

  476. 		return
    477. 

  477. 	}
    478. 

  478. 	var params = mux.Vars(r)
    479. 

  479. 	username := params["username"]
    480. 

  480. 	u, err := logic.GetUser(username)
    481. 

  481. 	if err != nil {
    482. 

  482. 		slog.Error("error getting user", "user", u.UserName, "error", err.Error())
    483. 

  483. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    484. 

  484. 		return
    485. 

  485. 	}
    486. 

  486. 	if u.PlatformRoleID != models.AdminRole {
    487. 

  487. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("only admins can be promoted to superadmin role"), "forbidden"))
    488. 

  488. 		return
    489. 

  489. 	}
    490. 

  490. 	if !servercfg.IsBasicAuthEnabled() {
    491. 

  491. 		logic.ReturnErrorResponse(
    492. 

  492. 			w,
    493. 

  493. 			r,
    494. 

  494. 			logic.FormatError(fmt.Errorf("basic auth is disabled"), "badrequest"),
    495. 

  495. 		)
    496. 

  496. 		return
    497. 

  497. 	}
    498. 

  498. 

  499. 	u.PlatformRoleID = models.SuperAdminRole
    500. 

  500. 	err = logic.UpsertUser(*u)
    501. 

  501. 	if err != nil {
    502. 

  502. 		slog.Error("error updating user to superadmin: ", "user", u.UserName, "error", err.Error())
    503. 

  503. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    504. 

  504. 		return
    505. 

  505. 	}
    506. 

  506. 	caller.PlatformRoleID = models.AdminRole
    507. 

  507. 	err = logic.UpsertUser(*caller)
    508. 

  508. 	if err != nil {
    509. 

  509. 		slog.Error("error demoting user to admin: ", "user", caller.UserName, "error", err.Error())
    510. 

  510. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    511. 

  511. 		return
    512. 

  512. 	}
    513. 

  513. 	slog.Info("user was made a super admin", "user", u.UserName)
    514. 

  514. 	json.NewEncoder(w).Encode(logic.ToReturnUser(*u))
    515. 

  515. }
    516. 

  516. 

  517. // @Summary     Create a user
    518. 

  518. // @Router      /api/users/{username} [post]
    519. 

  519. // @Tags        Users
    520. 

  520. // @Param       username path string true "Username of the user to create"
    521. 

  521. // @Param       body body models.User true "User details"
    522. 

  522. // @Success     200 {object} models.User
    523. 

  523. // @Failure     400 {object} models.ErrorResponse
    524. 

  524. // @Failure     403 {object} models.ErrorResponse
    525. 

  525. // @Failure     500 {object} models.ErrorResponse
    526. 

  526. func createUser(w http.ResponseWriter, r *http.Request) {
    527. 

  527. 	w.Header().Set("Content-Type", "application/json")
    528. 

  528. 	caller, err := logic.GetUser(r.Header.Get("user"))
    529. 

  529. 	if err != nil {
    530. 

  530. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    531. 

  531. 		return
    532. 

  532. 	}
    533. 

  533. 	var user models.User
    534. 

  534. 	err = json.NewDecoder(r.Body).Decode(&user)
    535. 

  535. 	if err != nil {
    536. 

  536. 		logger.Log(0, user.UserName, "error decoding request body: ",
    537. 

  537. 			err.Error())
    538. 

  538. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    539. 

  539. 		return
    540. 

  540. 	}
    541. 

  541. 	if !servercfg.IsPro {
    542. 

  542. 		user.PlatformRoleID = models.AdminRole
    543. 

  543. 	}
    544. 

  544. 

  545. 	if user.PlatformRoleID == "" {
    546. 

  546. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("platform role is missing"), "badrequest"))
    547. 

  547. 		return
    548. 

  548. 	}
    549. 

  549. 	userRole, err := logic.GetRole(user.PlatformRoleID)
    550. 

  550. 	if err != nil {
    551. 

  551. 		err = errors.New("error fetching role " + user.PlatformRoleID.String() + " " + err.Error())
    552. 

  552. 		slog.Error("error creating new user: ", "user", user.UserName, "error", err)
    553. 

  553. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    554. 

  554. 		return
    555. 

  555. 	}
    556. 

  556. 	if userRole.ID == models.SuperAdminRole {
    557. 

  557. 		err = errors.New("additional superadmins cannot be created")
    558. 

  558. 		slog.Error("error creating new user: ", "user", user.UserName, "error", err)
    559. 

  559. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    560. 

  560. 		return
    561. 

  561. 	}
    562. 

  562. 

  563. 	if caller.PlatformRoleID != models.SuperAdminRole && user.PlatformRoleID == models.AdminRole {
    564. 

  564. 		err = errors.New("only superadmin can create admin users")
    565. 

  565. 		slog.Error("error creating new user: ", "user", user.UserName, "error", err)
    566. 

  566. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    567. 

  567. 		return
    568. 

  568. 	}
    569. 

  569. 

  570. 	if !servercfg.IsPro && user.PlatformRoleID != models.AdminRole {
    571. 

  571. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("non-admins users can only be created on Pro version"), "forbidden"))
    572. 

  572. 		return
    573. 

  573. 	}
    574. 

  574. 

  575. 	err = logic.CreateUser(&user)
    576. 

  576. 	if err != nil {
    577. 

  577. 		slog.Error("error creating new user: ", "user", user.UserName, "error", err.Error())
    578. 

  578. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    579. 

  579. 		return
    580. 

  580. 	}
    581. 

  581. 	logic.DeleteUserInvite(user.UserName)
    582. 

  582. 	logic.DeletePendingUser(user.UserName)
    583. 

  583. 	go mq.PublishPeerUpdate(false)
    584. 

  584. 	slog.Info("user was created", "username", user.UserName)
    585. 

  585. 	json.NewEncoder(w).Encode(logic.ToReturnUser(user))
    586. 

  586. }
    587. 

  587. 

  588. // @Summary     Update a user
    589. 

  589. // @Router      /api/users/{username} [put]
    590. 

  590. // @Tags        Users
    591. 

  591. // @Param       username path string true "Username of the user to update"
    592. 

  592. // @Param       body body models.User true "User details"
    593. 

  593. // @Success     200 {object} models.User
    594. 

  594. // @Failure     400 {object} models.ErrorResponse
    595. 

  595. // @Failure     403 {object} models.ErrorResponse
    596. 

  596. // @Failure     500 {object} models.ErrorResponse
    597. 

  597. func updateUser(w http.ResponseWriter, r *http.Request) {
    598. 

  598. 	w.Header().Set("Content-Type", "application/json")
    599. 

  599. 	var params = mux.Vars(r)
    600. 

  600. 	// start here
    601. 

  601. 	var caller *models.User
    602. 

  602. 	var err error
    603. 

  603. 	var ismaster bool
    604. 

  604. 	if r.Header.Get("user") == logic.MasterUser {
    605. 

  605. 		ismaster = true
    606. 

  606. 	} else {
    607. 

  607. 		caller, err = logic.GetUser(r.Header.Get("user"))
    608. 

  608. 		if err != nil {
    609. 

  609. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    610. 

  610. 		}
    611. 

  611. 	}
    612. 

  612. 

  613. 	username := params["username"]
    614. 

  614. 	user, err := logic.GetUser(username)
    615. 

  615. 	if err != nil {
    616. 

  616. 		logger.Log(0, username,
    617. 

  617. 			"failed to update user info: ", err.Error())
    618. 

  618. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    619. 

  619. 		return
    620. 

  620. 	}
    621. 

  621. 	var userchange models.User
    622. 

  622. 	// we decode our body request params
    623. 

  623. 	err = json.NewDecoder(r.Body).Decode(&userchange)
    624. 

  624. 	if err != nil {
    625. 

  625. 		slog.Error("failed to decode body", "error ", err.Error())
    626. 

  626. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    627. 

  627. 		return
    628. 

  628. 	}
    629. 

  629. 	if user.UserName != userchange.UserName {
    630. 

  630. 		logic.ReturnErrorResponse(
    631. 

  631. 			w,
    632. 

  632. 			r,
    633. 

  633. 			logic.FormatError(
    634. 

  634. 				errors.New("user in param and request body not matching"),
    635. 

  635. 				"badrequest",
    636. 

  636. 			),
    637. 

  637. 		)
    638. 

  638. 		return
    639. 

  639. 	}
    640. 

  640. 	selfUpdate := false
    641. 

  641. 	if !ismaster && caller.UserName == user.UserName {
    642. 

  642. 		selfUpdate = true
    643. 

  643. 	}
    644. 

  644. 

  645. 	if !ismaster && !selfUpdate {
    646. 

  646. 		if caller.PlatformRoleID == models.AdminRole && user.PlatformRoleID == models.SuperAdminRole {
    647. 

  647. 			slog.Error("non-superadmin user", "caller", caller.UserName, "attempted to update superadmin user", username)
    648. 

  648. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot update superadmin user"), "forbidden"))
    649. 

  649. 			return
    650. 

  650. 		}
    651. 

  651. 		if caller.PlatformRoleID != models.AdminRole && caller.PlatformRoleID != models.SuperAdminRole {
    652. 

  652. 			slog.Error("operation not allowed", "caller", caller.UserName, "attempted to update user", username)
    653. 

  653. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot update superadmin user"), "forbidden"))
    654. 

  654. 			return
    655. 

  655. 		}
    656. 

  656. 		if caller.PlatformRoleID == models.AdminRole && user.PlatformRoleID == models.AdminRole {
    657. 

  657. 			slog.Error("admin user cannot update another admin", "caller", caller.UserName, "attempted to update admin user", username)
    658. 

  658. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("admin user cannot update another admin"), "forbidden"))
    659. 

  659. 			return
    660. 

  660. 		}
    661. 

  661. 		if caller.PlatformRoleID == models.AdminRole && userchange.PlatformRoleID == models.AdminRole {
    662. 

  662. 			err = errors.New("admin user cannot update role of an another user to admin")
    663. 

  663. 			slog.Error(
    664. 

  664. 				"failed to update user",
    665. 

  665. 				"caller",
    666. 

  666. 				caller.UserName,
    667. 

  667. 				"attempted to update user",
    668. 

  668. 				username,
    669. 

  669. 				"error",
    670. 

  670. 				err,
    671. 

  671. 			)
    672. 

  672. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    673. 

  673. 			return
    674. 

  674. 		}
    675. 

  675. 

  676. 	}
    677. 

  677. 	if !ismaster && selfUpdate {
    678. 

  678. 		if user.PlatformRoleID != userchange.PlatformRoleID {
    679. 

  679. 			slog.Error("user cannot change his own role", "caller", caller.UserName, "attempted to update user role", username)
    680. 

  680. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("user not allowed to self assign role"), "forbidden"))
    681. 

  681. 			return
    682. 

  682. 

  683. 		}
    684. 

  684. 		if servercfg.IsPro {
    685. 

  685. 			// user cannot update his own roles and groups
    686. 

  686. 			if len(user.NetworkRoles) != len(userchange.NetworkRoles) || !reflect.DeepEqual(user.NetworkRoles, userchange.NetworkRoles) {
    687. 

  687. 				err = errors.New("user cannot update self update their network roles")
    688. 

  688. 				slog.Error("failed to update user", "caller", caller.UserName, "attempted to update user", username, "error", err)
    689. 

  689. 				logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    690. 

  690. 				return
    691. 

  691. 			}
    692. 

  692. 			// user cannot update his own roles and groups
    693. 

  693. 			if len(user.UserGroups) != len(userchange.UserGroups) || !reflect.DeepEqual(user.UserGroups, userchange.UserGroups) {
    694. 

  694. 				err = errors.New("user cannot update self update their groups")
    695. 

  695. 				slog.Error("failed to update user", "caller", caller.UserName, "attempted to update user", username, "error", err)
    696. 

  696. 				logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    697. 

  697. 				return
    698. 

  698. 			}
    699. 

  699. 		}
    700. 

  700. 

  701. 	}
    702. 

  702. 	if ismaster {
    703. 

  703. 		if user.PlatformRoleID != models.SuperAdminRole && userchange.PlatformRoleID == models.SuperAdminRole {
    704. 

  704. 			slog.Error("operation not allowed", "caller", logic.MasterUser, "attempted to update user role to superadmin", username)
    705. 

  705. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("attempted to update user role to superadmin"), "forbidden"))
    706. 

  706. 			return
    707. 

  707. 		}
    708. 

  708. 	}
    709. 

  709. 

  710. 	if logic.IsOauthUser(user) == nil && userchange.Password != "" {
    711. 

  711. 		err := fmt.Errorf("cannot update user's password for an oauth user %s", username)
    712. 

  712. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    713. 

  713. 		return
    714. 

  714. 	}
    715. 

  715. 

  716. 	user, err = logic.UpdateUser(&userchange, user)
    717. 

  717. 	if err != nil {
    718. 

  718. 		logger.Log(0, username,
    719. 

  719. 			"failed to update user info: ", err.Error())
    720. 

  720. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    721. 

  721. 		return
    722. 

  722. 	}
    723. 

  723. 	go mq.PublishPeerUpdate(false)
    724. 

  724. 	logger.Log(1, username, "was updated")
    725. 

  725. 	json.NewEncoder(w).Encode(logic.ToReturnUser(*user))
    726. 

  726. }
    727. 

  727. 

  728. // @Summary     Delete a user
    729. 

  729. // @Router      /api/users/{username} [delete]
    730. 

  730. // @Tags        Users
    731. 

  731. // @Param       username path string true "Username of the user to delete"
    732. 

  732. // @Success     200 {string} string
    733. 

  733. // @Failure     500 {object} models.ErrorResponse
    734. 

  734. func deleteUser(w http.ResponseWriter, r *http.Request) {
    735. 

  735. 	// Set header
    736. 

  736. 	w.Header().Set("Content-Type", "application/json")
    737. 

  737. 

  738. 	// get params
    739. 

  739. 	var params = mux.Vars(r)
    740. 

  740. 	caller, err := logic.GetUser(r.Header.Get("user"))
    741. 

  741. 	if err != nil {
    742. 

  742. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    743. 

  743. 	}
    744. 

  744. 	callerUserRole, err := logic.GetRole(caller.PlatformRoleID)
    745. 

  745. 	if err != nil {
    746. 

  746. 		slog.Error("failed to get role ", "role", callerUserRole.ID, "error", err)
    747. 

  747. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    748. 

  748. 		return
    749. 

  749. 	}
    750. 

  750. 	username := params["username"]
    751. 

  751. 	user, err := logic.GetUser(username)
    752. 

  752. 	if err != nil {
    753. 

  753. 		logger.Log(0, username,
    754. 

  754. 			"failed to update user info: ", err.Error())
    755. 

  755. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    756. 

  756. 		return
    757. 

  757. 	}
    758. 

  758. 	userRole, err := logic.GetRole(user.PlatformRoleID)
    759. 

  759. 	if err != nil {
    760. 

  760. 		slog.Error("failed to get role ", "role", userRole.ID, "error", err)
    761. 

  761. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    762. 

  762. 		return
    763. 

  763. 	}
    764. 

  764. 	if userRole.ID == models.SuperAdminRole {
    765. 

  765. 		slog.Error(
    766. 

  766. 			"failed to delete user: ", "user", username, "error", "superadmin cannot be deleted")
    767. 

  767. 		logic.ReturnErrorResponse(
    768. 

  768. 			w,
    769. 

  769. 			r,
    770. 

  770. 			logic.FormatError(fmt.Errorf("superadmin cannot be deleted"), "internal"),
    771. 

  771. 		)
    772. 

  772. 		return
    773. 

  773. 	}
    774. 

  774. 	if callerUserRole.ID != models.SuperAdminRole {
    775. 

  775. 		if callerUserRole.ID == models.AdminRole && userRole.ID == models.AdminRole {
    776. 

  776. 			slog.Error(
    777. 

  777. 				"failed to delete user: ",
    778. 

  778. 				"user",
    779. 

  779. 				username,
    780. 

  780. 				"error",
    781. 

  781. 				"admin cannot delete another admin user, including oneself",
    782. 

  782. 			)
    783. 

  783. 			logic.ReturnErrorResponse(
    784. 

  784. 				w,
    785. 

  785. 				r,
    786. 

  786. 				logic.FormatError(
    787. 

  787. 					fmt.Errorf("admin cannot delete another admin user, including oneself"),
    788. 

  788. 					"internal",
    789. 

  789. 				),
    790. 

  790. 			)
    791. 

  791. 			return
    792. 

  792. 		}
    793. 

  793. 	}
    794. 

  794. 	success, err := logic.DeleteUser(username)
    795. 

  795. 	if err != nil {
    796. 

  796. 		logger.Log(0, username,
    797. 

  797. 			"failed to delete user: ", err.Error())
    798. 

  798. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    799. 

  799. 		return
    800. 

  800. 	} else if !success {
    801. 

  801. 		err := errors.New("delete unsuccessful")
    802. 

  802. 		logger.Log(0, username, err.Error())
    803. 

  803. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    804. 

  804. 		return
    805. 

  805. 	}
    806. 

  806. 	// check and delete extclient with this ownerID
    807. 

  807. 	go func() {
    808. 

  808. 		extclients, err := logic.GetAllExtClients()
    809. 

  809. 		if err != nil {
    810. 

  810. 			slog.Error("failed to get extclients", "error", err)
    811. 

  811. 			return
    812. 

  812. 		}
    813. 

  813. 		for _, extclient := range extclients {
    814. 

  814. 			if extclient.OwnerID == user.UserName {
    815. 

  815. 				err = logic.DeleteExtClientAndCleanup(extclient)
    816. 

  816. 				if err != nil {
    817. 

  817. 					slog.Error("failed to delete extclient",
    818. 

  818. 						"id", extclient.ClientID, "owner", username, "error", err)
    819. 

  819. 				} else {
    820. 

  820. 					if err := mq.PublishDeletedClientPeerUpdate(&extclient); err != nil {
    821. 

  821. 						slog.Error("error setting ext peers: " + err.Error())
    822. 

  822. 					}
    823. 

  823. 				}
    824. 

  824. 			}
    825. 

  825. 		}
    826. 

  826. 		mq.PublishPeerUpdate(false)
    827. 

  827. 		if servercfg.IsDNSMode() {
    828. 

  828. 			logic.SetDNS()
    829. 

  829. 		}
    830. 

  830. 	}()
    831. 

  831. 	logger.Log(1, username, "was deleted")
    832. 

  832. 	json.NewEncoder(w).Encode(params["username"] + " deleted.")
    833. 

  833. }
    834. 

  834. 

  835. // Called when vpn client dials in to start the auth flow and first stage is to get register URL itself
    836. 

  836. func socketHandler(w http.ResponseWriter, r *http.Request) {
    837. 

  837. 	// Upgrade our raw HTTP connection to a websocket based one
    838. 

  838. 	conn, err := upgrader.Upgrade(w, r, nil)
    839. 

  839. 	if err != nil {
    840. 

  840. 		logger.Log(0, "error during connection upgrade for node sign-in:", err.Error())
    841. 

  841. 		return
    842. 

  842. 	}
    843. 

  843. 	if conn == nil {
    844. 

  844. 		logger.Log(0, "failed to establish web-socket connection during node sign-in")
    845. 

  845. 		return
    846. 

  846. 	}
    847. 

  847. 	// Start handling the session
    848. 

  848. 	go auth.SessionHandler(conn)
    849. 

  849. }
    850. 

  850. 

  851. // @Summary     lists all user roles.
    852. 

  852. // @Router      /api/v1/user/roles [get]
    853. 

  853. // @Tags        Users
    854. 

  854. // @Param       role_id query string true "roleid required to get the role details"
    855. 

  855. // @Success     200 {object}  []models.UserRolePermissionTemplate
    856. 

  856. // @Failure     500 {object} models.ErrorResponse
    857. 

  857. func listRoles(w http.ResponseWriter, r *http.Request) {
    858. 

  858. 	var roles []models.UserRolePermissionTemplate
    859. 

  859. 	var err error
    860. 

  860. 	roles, err = logic.ListPlatformRoles()
    861. 

  861. 	if err != nil {
    862. 

  862. 		logic.ReturnErrorResponse(w, r, models.ErrorResponse{
    863. 

  863. 			Code:    http.StatusInternalServerError,
    864. 

  864. 			Message: err.Error(),
    865. 

  865. 		})
    866. 

  866. 		return
    867. 

  867. 	}
    868. 

  868. 

  869. 	logic.ReturnSuccessResponseWithJson(w, r, roles, "successfully fetched user roles permission templates")
    870. 

  870. }
    871.