Acasă Explorează Ajutor
Autentificare
golang
/
netmaker
oglindă de https://github.com/gravitl/netmaker
2
0
Bifurcare 0
Fisiere Probleme 0 Wiki
Ramură: NET-2003
Ramuri Etichete
netmaker
/
controllers
/
user.go

user.go 25 KB
Permalink Istoric Crud

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750 
  1. package controller
    2. 

  2. 

  3. import (
    4. 

  4. 	"encoding/json"
    5. 

  5. 	"errors"
    6. 

  6. 	"fmt"
    7. 

  7. 	"net/http"
    8. 

  8. 	"reflect"
    9. 

  9. 

  10. 	"github.com/gorilla/mux"
    11. 

  11. 	"github.com/gorilla/websocket"
    12. 

  12. 	"github.com/gravitl/netmaker/auth"
    13. 

  13. 	"github.com/gravitl/netmaker/logger"
    14. 

  14. 	"github.com/gravitl/netmaker/logic"
    15. 

  15. 	"github.com/gravitl/netmaker/models"
    16. 

  16. 	"github.com/gravitl/netmaker/mq"
    17. 

  17. 	"github.com/gravitl/netmaker/servercfg"
    18. 

  18. 	"golang.org/x/exp/slog"
    19. 

  19. )
    20. 

  20. 

  21. var (
    22. 

  22. 	upgrader = websocket.Upgrader{}
    23. 

  23. )
    24. 

  24. 

  25. var ListRoles = listRoles
    26. 

  26. 

  27. func userHandlers(r *mux.Router) {
    28. 

  28. 	r.HandleFunc("/api/users/adm/hassuperadmin", hasSuperAdmin).Methods(http.MethodGet)
    29. 

  29. 	r.HandleFunc("/api/users/adm/createsuperadmin", createSuperAdmin).Methods(http.MethodPost)
    30. 

  30. 	r.HandleFunc("/api/users/adm/transfersuperadmin/{username}", logic.SecurityCheck(true, http.HandlerFunc(transferSuperAdmin))).
    31. 

  31. 		Methods(http.MethodPost)
    32. 

  32. 	r.HandleFunc("/api/users/adm/authenticate", authenticateUser).Methods(http.MethodPost)
    33. 

  33. 	r.HandleFunc("/api/users/{username}", logic.SecurityCheck(true, http.HandlerFunc(updateUser))).Methods(http.MethodPut)
    34. 

  34. 	r.HandleFunc("/api/users/{username}", logic.SecurityCheck(true, checkFreeTierLimits(limitChoiceUsers, http.HandlerFunc(createUser)))).Methods(http.MethodPost)
    35. 

  35. 	r.HandleFunc("/api/users/{username}", logic.SecurityCheck(true, http.HandlerFunc(deleteUser))).Methods(http.MethodDelete)
    36. 

  36. 	r.HandleFunc("/api/users/{username}", logic.SecurityCheck(false, logic.ContinueIfUserMatch(http.HandlerFunc(getUser)))).Methods(http.MethodGet)
    37. 

  37. 	r.HandleFunc("/api/v1/users", logic.SecurityCheck(false, logic.ContinueIfUserMatch(http.HandlerFunc(getUserV1)))).Methods(http.MethodGet)
    38. 

  38. 	r.HandleFunc("/api/users", logic.SecurityCheck(true, http.HandlerFunc(getUsers))).Methods(http.MethodGet)
    39. 

  39. 	r.HandleFunc("/api/v1/users/roles", logic.SecurityCheck(true, http.HandlerFunc(ListRoles))).Methods(http.MethodGet)
    40. 

  40. 

  41. }
    42. 

  42. 

  43. // @Summary     Authenticate a user to retrieve an authorization token
    44. 

  44. // @Router      /api/users/adm/authenticate [post]
    45. 

  45. // @Tags        Auth
    46. 

  46. // @Accept      json
    47. 

  47. // @Param       body body models.UserAuthParams true "Authentication parameters"
    48. 

  48. // @Success     200 {object} models.SuccessResponse
    49. 

  49. // @Failure     400 {object} models.ErrorResponse
    50. 

  50. // @Failure     401 {object} models.ErrorResponse
    51. 

  51. // @Failure     500 {object} models.ErrorResponse
    52. 

  52. func authenticateUser(response http.ResponseWriter, request *http.Request) {
    53. 

  53. 

  54. 	// Auth request consists of Mac Address and Password (from node that is authorizing
    55. 

  55. 	// in case of Master, auth is ignored and mac is set to "mastermac"
    56. 

  56. 	var authRequest models.UserAuthParams
    57. 

  57. 	var errorResponse = models.ErrorResponse{
    58. 

  58. 		Code: http.StatusInternalServerError, Message: "W1R3: It's not you it's me.",
    59. 

  59. 	}
    60. 

  60. 

  61. 	if !servercfg.IsBasicAuthEnabled() {
    62. 

  62. 		logic.ReturnErrorResponse(
    63. 

  63. 			response,
    64. 

  64. 			request,
    65. 

  65. 			logic.FormatError(fmt.Errorf("basic auth is disabled"), "badrequest"),
    66. 

  66. 		)
    67. 

  67. 		return
    68. 

  68. 	}
    69. 

  69. 

  70. 	decoder := json.NewDecoder(request.Body)
    71. 

  71. 	decoderErr := decoder.Decode(&authRequest)
    72. 

  72. 	defer request.Body.Close()
    73. 

  73. 	if decoderErr != nil {
    74. 

  74. 		logger.Log(0, "error decoding request body: ",
    75. 

  75. 			decoderErr.Error())
    76. 

  76. 		logic.ReturnErrorResponse(response, request, errorResponse)
    77. 

  77. 		return
    78. 

  78. 	}
    79. 

  79. 	if val := request.Header.Get("From-Ui"); val == "true" {
    80. 

  80. 		// request came from UI, if normal user block Login
    81. 

  81. 		user, err := logic.GetUser(authRequest.UserName)
    82. 

  82. 		if err != nil {
    83. 

  83. 			logger.Log(0, authRequest.UserName, "user validation failed: ",
    84. 

  84. 				err.Error())
    85. 

  85. 			logic.ReturnErrorResponse(response, request, logic.FormatError(err, "unauthorized"))
    86. 

  86. 			return
    87. 

  87. 		}
    88. 

  88. 		role, err := logic.GetRole(user.PlatformRoleID)
    89. 

  89. 		if err != nil {
    90. 

  90. 			logic.ReturnErrorResponse(response, request, logic.FormatError(errors.New("access denied to dashboard"), "unauthorized"))
    91. 

  91. 			return
    92. 

  92. 		}
    93. 

  93. 		if role.DenyDashboardAccess {
    94. 

  94. 			logic.ReturnErrorResponse(response, request, logic.FormatError(errors.New("access denied to dashboard"), "unauthorized"))
    95. 

  95. 			return
    96. 

  96. 		}
    97. 

  97. 	}
    98. 

  98. 	user, err := logic.GetUser(authRequest.UserName)
    99. 

  99. 	if err != nil {
    100. 

  100. 		logic.ReturnErrorResponse(response, request, logic.FormatError(err, "unauthorized"))
    101. 

  101. 		return
    102. 

  102. 	}
    103. 

  103. 	if logic.IsOauthUser(user) == nil {
    104. 

  104. 		logic.ReturnErrorResponse(response, request, logic.FormatError(errors.New("user is registered via SSO"), "badrequest"))
    105. 

  105. 		return
    106. 

  106. 	}
    107. 

  107. 	username := authRequest.UserName
    108. 

  108. 	jwt, err := logic.VerifyAuthRequest(authRequest)
    109. 

  109. 	if err != nil {
    110. 

  110. 		logger.Log(0, username, "user validation failed: ",
    111. 

  111. 			err.Error())
    112. 

  112. 		logic.ReturnErrorResponse(response, request, logic.FormatError(err, "badrequest"))
    113. 

  113. 		return
    114. 

  114. 	}
    115. 

  115. 

  116. 	if jwt == "" {
    117. 

  117. 		// very unlikely that err is !nil and no jwt returned, but handle it anyways.
    118. 

  118. 		logger.Log(0, username, "jwt token is empty")
    119. 

  119. 		logic.ReturnErrorResponse(
    120. 

  120. 			response,
    121. 

  121. 			request,
    122. 

  122. 			logic.FormatError(errors.New("no token returned"), "internal"),
    123. 

  123. 		)
    124. 

  124. 		return
    125. 

  125. 	}
    126. 

  126. 

  127. 	var successResponse = models.SuccessResponse{
    128. 

  128. 		Code:    http.StatusOK,
    129. 

  129. 		Message: "W1R3: Device " + username + " Authorized",
    130. 

  130. 		Response: models.SuccessfulUserLoginResponse{
    131. 

  131. 			AuthToken: jwt,
    132. 

  132. 			UserName:  username,
    133. 

  133. 		},
    134. 

  134. 	}
    135. 

  135. 	// Send back the JWT
    136. 

  136. 	successJSONResponse, jsonError := json.Marshal(successResponse)
    137. 

  137. 	if jsonError != nil {
    138. 

  138. 		logger.Log(0, username,
    139. 

  139. 			"error marshalling resp: ", jsonError.Error())
    140. 

  140. 		logic.ReturnErrorResponse(response, request, errorResponse)
    141. 

  141. 		return
    142. 

  142. 	}
    143. 

  143. 	logger.Log(2, username, "was authenticated")
    144. 

  144. 	response.Header().Set("Content-Type", "application/json")
    145. 

  145. 	response.Write(successJSONResponse)
    146. 

  146. 

  147. 	go func() {
    148. 

  148. 		if servercfg.IsPro && servercfg.GetRacAutoDisable() {
    149. 

  149. 			// enable all associeated clients for the user
    150. 

  150. 			clients, err := logic.GetAllExtClients()
    151. 

  151. 			if err != nil {
    152. 

  152. 				slog.Error("error getting clients: ", "error", err)
    153. 

  153. 				return
    154. 

  154. 			}
    155. 

  155. 			for _, client := range clients {
    156. 

  156. 				if client.OwnerID == username && !client.Enabled {
    157. 

  157. 					slog.Info(
    158. 

  158. 						fmt.Sprintf(
    159. 

  159. 							"enabling ext client %s for user %s due to RAC autodisabling feature",
    160. 

  160. 							client.ClientID,
    161. 

  161. 							client.OwnerID,
    162. 

  162. 						),
    163. 

  163. 					)
    164. 

  164. 					if newClient, err := logic.ToggleExtClientConnectivity(&client, true); err != nil {
    165. 

  165. 						slog.Error(
    166. 

  166. 							"error enabling ext client in RAC autodisable hook",
    167. 

  167. 							"error",
    168. 

  168. 							err,
    169. 

  169. 						)
    170. 

  170. 						continue // dont return but try for other clients
    171. 

  171. 					} else {
    172. 

  172. 						// publish peer update to ingress gateway
    173. 

  173. 						if ingressNode, err := logic.GetNodeByID(newClient.IngressGatewayID); err == nil {
    174. 

  174. 							if err = mq.PublishPeerUpdate(false); err != nil {
    175. 

  175. 								slog.Error("error updating ext clients on", "ingress", ingressNode.ID.String(), "err", err.Error())
    176. 

  176. 							}
    177. 

  177. 						}
    178. 

  178. 					}
    179. 

  179. 				}
    180. 

  180. 			}
    181. 

  181. 		}
    182. 

  182. 	}()
    183. 

  183. }
    184. 

  184. 

  185. // @Summary     Check if the server has a super admin
    186. 

  186. // @Router      /api/users/adm/hassuperadmin [get]
    187. 

  187. // @Tags        Users
    188. 

  188. // @Success     200 {object} bool
    189. 

  189. // @Failure     500 {object} models.ErrorResponse
    190. 

  190. func hasSuperAdmin(w http.ResponseWriter, r *http.Request) {
    191. 

  191. 

  192. 	w.Header().Set("Content-Type", "application/json")
    193. 

  193. 

  194. 	hasSuperAdmin, err := logic.HasSuperAdmin()
    195. 

  195. 	if err != nil {
    196. 

  196. 		logger.Log(0, "failed to check for admin: ", err.Error())
    197. 

  197. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    198. 

  198. 		return
    199. 

  199. 	}
    200. 

  200. 

  201. 	json.NewEncoder(w).Encode(hasSuperAdmin)
    202. 

  202. 

  203. }
    204. 

  204. 

  205. // @Summary     Get an individual user
    206. 

  206. // @Router      /api/users/{username} [get]
    207. 

  207. // @Tags        Users
    208. 

  208. // @Param       username path string true "Username of the user to fetch"
    209. 

  209. // @Success     200 {object} models.User
    210. 

  210. // @Failure     500 {object} models.ErrorResponse
    211. 

  211. func getUser(w http.ResponseWriter, r *http.Request) {
    212. 

  212. 	// set header.
    213. 

  213. 	w.Header().Set("Content-Type", "application/json")
    214. 

  214. 

  215. 	var params = mux.Vars(r)
    216. 

  216. 	usernameFetched := params["username"]
    217. 

  217. 	user, err := logic.GetReturnUser(usernameFetched)
    218. 

  218. 

  219. 	if err != nil {
    220. 

  220. 		logger.Log(0, usernameFetched, "failed to fetch user: ", err.Error())
    221. 

  221. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    222. 

  222. 		return
    223. 

  223. 	}
    224. 

  224. 	logger.Log(2, r.Header.Get("user"), "fetched user", usernameFetched)
    225. 

  225. 	json.NewEncoder(w).Encode(user)
    226. 

  226. }
    227. 

  227. 

  228. // swagger:route GET /api/v1/users user getUserV1
    229. 

  229. //
    230. 

  230. // Get an individual user with role info.
    231. 

  231. //
    232. 

  232. //			Schemes: https
    233. 

  233. //
    234. 

  234. //			Security:
    235. 

  235. //	  		oauth
    236. 

  236. //
    237. 

  237. //			Responses:
    238. 

  238. //				200: ReturnUserWithRolesAndGroups
    239. 

  239. func getUserV1(w http.ResponseWriter, r *http.Request) {
    240. 

  240. 	// set header.
    241. 

  241. 	w.Header().Set("Content-Type", "application/json")
    242. 

  242. 	usernameFetched := r.URL.Query().Get("username")
    243. 

  243. 	if usernameFetched == "" {
    244. 

  244. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("username is required"), "badrequest"))
    245. 

  245. 		return
    246. 

  246. 	}
    247. 

  247. 	user, err := logic.GetReturnUser(usernameFetched)
    248. 

  248. 	if err != nil {
    249. 

  249. 		logger.Log(0, usernameFetched, "failed to fetch user: ", err.Error())
    250. 

  250. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    251. 

  251. 		return
    252. 

  252. 	}
    253. 

  253. 	userRoleTemplate, err := logic.GetRole(user.PlatformRoleID)
    254. 

  254. 	if err != nil {
    255. 

  255. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    256. 

  256. 		return
    257. 

  257. 	}
    258. 

  258. 	resp := models.ReturnUserWithRolesAndGroups{
    259. 

  259. 		ReturnUser:   user,
    260. 

  260. 		PlatformRole: userRoleTemplate,
    261. 

  261. 		UserGroups:   map[models.UserGroupID]models.UserGroup{},
    262. 

  262. 	}
    263. 

  263. 	for gId := range user.UserGroups {
    264. 

  264. 		grp, err := logic.GetUserGroup(gId)
    265. 

  265. 		if err != nil {
    266. 

  266. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    267. 

  267. 			return
    268. 

  268. 		}
    269. 

  269. 		resp.UserGroups[gId] = grp
    270. 

  270. 	}
    271. 

  271. 	logger.Log(2, r.Header.Get("user"), "fetched user", usernameFetched)
    272. 

  272. 	logic.ReturnSuccessResponseWithJson(w, r, resp, "fetched user with role info")
    273. 

  273. }
    274. 

  274. 

  275. // swagger:route GET /api/users user getUsers
    276. 

  276. //
    277. 

  277. // Get all users.
    278. 

  278. //
    279. 

  279. //			Schemes: https
    280. 

  280. //
    281. 

  281. //			Security:
    282. 

  282. //	  		oauth
    283. 

  283. //
    284. 

  284. //			Responses:
    285. 

  285. //				200: userBodyResponse
    286. 

  286. func getUsers(w http.ResponseWriter, r *http.Request) {
    287. 

  287. 	// set header.
    288. 

  288. 	w.Header().Set("Content-Type", "application/json")
    289. 

  289. 

  290. 	users, err := logic.GetUsers()
    291. 

  291. 

  292. 	if err != nil {
    293. 

  293. 		logger.Log(0, "failed to fetch users: ", err.Error())
    294. 

  294. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    295. 

  295. 		return
    296. 

  296. 	}
    297. 

  297. 

  298. 	logic.SortUsers(users[:])
    299. 

  299. 	logger.Log(2, r.Header.Get("user"), "fetched users")
    300. 

  300. 	json.NewEncoder(w).Encode(users)
    301. 

  301. }
    302. 

  302. 

  303. // @Summary     Create a super admin
    304. 

  304. // @Router      /api/users/adm/createsuperadmin [post]
    305. 

  305. // @Tags        Users
    306. 

  306. // @Param       body body models.User true "User details"
    307. 

  307. // @Success     200 {object} models.User
    308. 

  308. // @Failure     400 {object} models.ErrorResponse
    309. 

  309. // @Failure     500 {object} models.ErrorResponse
    310. 

  310. func createSuperAdmin(w http.ResponseWriter, r *http.Request) {
    311. 

  311. 	w.Header().Set("Content-Type", "application/json")
    312. 

  312. 

  313. 	var u models.User
    314. 

  314. 

  315. 	err := json.NewDecoder(r.Body).Decode(&u)
    316. 

  316. 	if err != nil {
    317. 

  317. 		slog.Error("error decoding request body", "error", err.Error())
    318. 

  318. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    319. 

  319. 		return
    320. 

  320. 	}
    321. 

  321. 

  322. 	if !servercfg.IsBasicAuthEnabled() {
    323. 

  323. 		logic.ReturnErrorResponse(
    324. 

  324. 			w,
    325. 

  325. 			r,
    326. 

  326. 			logic.FormatError(fmt.Errorf("basic auth is disabled"), "badrequest"),
    327. 

  327. 		)
    328. 

  328. 		return
    329. 

  329. 	}
    330. 

  330. 

  331. 	err = logic.CreateSuperAdmin(&u)
    332. 

  332. 	if err != nil {
    333. 

  333. 		slog.Error("failed to create admin", "error", err.Error())
    334. 

  334. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    335. 

  335. 		return
    336. 

  336. 	}
    337. 

  337. 	logger.Log(1, u.UserName, "was made a super admin")
    338. 

  338. 	json.NewEncoder(w).Encode(logic.ToReturnUser(u))
    339. 

  339. }
    340. 

  340. 

  341. // @Summary     Transfer super admin role to another admin user
    342. 

  342. // @Router      /api/users/adm/transfersuperadmin/{username} [post]
    343. 

  343. // @Tags        Users
    344. 

  344. // @Param       username path string true "Username of the user to transfer super admin role"
    345. 

  345. // @Success     200 {object} models.User
    346. 

  346. // @Failure     403 {object} models.ErrorResponse
    347. 

  347. // @Failure     500 {object} models.ErrorResponse
    348. 

  348. func transferSuperAdmin(w http.ResponseWriter, r *http.Request) {
    349. 

  349. 	w.Header().Set("Content-Type", "application/json")
    350. 

  350. 	caller, err := logic.GetUser(r.Header.Get("user"))
    351. 

  351. 	if err != nil {
    352. 

  352. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    353. 

  353. 	}
    354. 

  354. 	if caller.PlatformRoleID != models.SuperAdminRole {
    355. 

  355. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("only superadmin can assign the superadmin role to another user"), "forbidden"))
    356. 

  356. 		return
    357. 

  357. 	}
    358. 

  358. 	var params = mux.Vars(r)
    359. 

  359. 	username := params["username"]
    360. 

  360. 	u, err := logic.GetUser(username)
    361. 

  361. 	if err != nil {
    362. 

  362. 		slog.Error("error getting user", "user", u.UserName, "error", err.Error())
    363. 

  363. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    364. 

  364. 		return
    365. 

  365. 	}
    366. 

  366. 	if u.PlatformRoleID != models.AdminRole {
    367. 

  367. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("only admins can be promoted to superadmin role"), "forbidden"))
    368. 

  368. 		return
    369. 

  369. 	}
    370. 

  370. 	if !servercfg.IsBasicAuthEnabled() {
    371. 

  371. 		logic.ReturnErrorResponse(
    372. 

  372. 			w,
    373. 

  373. 			r,
    374. 

  374. 			logic.FormatError(fmt.Errorf("basic auth is disabled"), "badrequest"),
    375. 

  375. 		)
    376. 

  376. 		return
    377. 

  377. 	}
    378. 

  378. 

  379. 	u.PlatformRoleID = models.SuperAdminRole
    380. 

  380. 	err = logic.UpsertUser(*u)
    381. 

  381. 	if err != nil {
    382. 

  382. 		slog.Error("error updating user to superadmin: ", "user", u.UserName, "error", err.Error())
    383. 

  383. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    384. 

  384. 		return
    385. 

  385. 	}
    386. 

  386. 	caller.PlatformRoleID = models.AdminRole
    387. 

  387. 	err = logic.UpsertUser(*caller)
    388. 

  388. 	if err != nil {
    389. 

  389. 		slog.Error("error demoting user to admin: ", "user", caller.UserName, "error", err.Error())
    390. 

  390. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    391. 

  391. 		return
    392. 

  392. 	}
    393. 

  393. 	slog.Info("user was made a super admin", "user", u.UserName)
    394. 

  394. 	json.NewEncoder(w).Encode(logic.ToReturnUser(*u))
    395. 

  395. }
    396. 

  396. 

  397. // @Summary     Create a user
    398. 

  398. // @Router      /api/users/{username} [post]
    399. 

  399. // @Tags        Users
    400. 

  400. // @Param       username path string true "Username of the user to create"
    401. 

  401. // @Param       body body models.User true "User details"
    402. 

  402. // @Success     200 {object} models.User
    403. 

  403. // @Failure     400 {object} models.ErrorResponse
    404. 

  404. // @Failure     403 {object} models.ErrorResponse
    405. 

  405. // @Failure     500 {object} models.ErrorResponse
    406. 

  406. func createUser(w http.ResponseWriter, r *http.Request) {
    407. 

  407. 	w.Header().Set("Content-Type", "application/json")
    408. 

  408. 	caller, err := logic.GetUser(r.Header.Get("user"))
    409. 

  409. 	if err != nil {
    410. 

  410. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    411. 

  411. 		return
    412. 

  412. 	}
    413. 

  413. 	var user models.User
    414. 

  414. 	err = json.NewDecoder(r.Body).Decode(&user)
    415. 

  415. 	if err != nil {
    416. 

  416. 		logger.Log(0, user.UserName, "error decoding request body: ",
    417. 

  417. 			err.Error())
    418. 

  418. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    419. 

  419. 		return
    420. 

  420. 	}
    421. 

  421. 	if !servercfg.IsPro {
    422. 

  422. 		user.PlatformRoleID = models.AdminRole
    423. 

  423. 	}
    424. 

  424. 

  425. 	if user.PlatformRoleID == "" {
    426. 

  426. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("platform role is missing"), "badrequest"))
    427. 

  427. 		return
    428. 

  428. 	}
    429. 

  429. 	userRole, err := logic.GetRole(user.PlatformRoleID)
    430. 

  430. 	if err != nil {
    431. 

  431. 		err = errors.New("error fetching role " + user.PlatformRoleID.String() + " " + err.Error())
    432. 

  432. 		slog.Error("error creating new user: ", "user", user.UserName, "error", err)
    433. 

  433. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    434. 

  434. 		return
    435. 

  435. 	}
    436. 

  436. 	if userRole.ID == models.SuperAdminRole {
    437. 

  437. 		err = errors.New("additional superadmins cannot be created")
    438. 

  438. 		slog.Error("error creating new user: ", "user", user.UserName, "error", err)
    439. 

  439. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    440. 

  440. 		return
    441. 

  441. 	}
    442. 

  442. 

  443. 	if caller.PlatformRoleID != models.SuperAdminRole && user.PlatformRoleID == models.AdminRole {
    444. 

  444. 		err = errors.New("only superadmin can create admin users")
    445. 

  445. 		slog.Error("error creating new user: ", "user", user.UserName, "error", err)
    446. 

  446. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    447. 

  447. 		return
    448. 

  448. 	}
    449. 

  449. 

  450. 	if !servercfg.IsPro && user.PlatformRoleID != models.AdminRole {
    451. 

  451. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("non-admins users can only be created on Pro version"), "forbidden"))
    452. 

  452. 		return
    453. 

  453. 	}
    454. 

  454. 

  455. 	err = logic.CreateUser(&user)
    456. 

  456. 	if err != nil {
    457. 

  457. 		slog.Error("error creating new user: ", "user", user.UserName, "error", err.Error())
    458. 

  458. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    459. 

  459. 		return
    460. 

  460. 	}
    461. 

  461. 	logic.DeleteUserInvite(user.UserName)
    462. 

  462. 	logic.DeletePendingUser(user.UserName)
    463. 

  463. 	go mq.PublishPeerUpdate(false)
    464. 

  464. 	slog.Info("user was created", "username", user.UserName)
    465. 

  465. 	json.NewEncoder(w).Encode(logic.ToReturnUser(user))
    466. 

  466. }
    467. 

  467. 

  468. // @Summary     Update a user
    469. 

  469. // @Router      /api/users/{username} [put]
    470. 

  470. // @Tags        Users
    471. 

  471. // @Param       username path string true "Username of the user to update"
    472. 

  472. // @Param       body body models.User true "User details"
    473. 

  473. // @Success     200 {object} models.User
    474. 

  474. // @Failure     400 {object} models.ErrorResponse
    475. 

  475. // @Failure     403 {object} models.ErrorResponse
    476. 

  476. // @Failure     500 {object} models.ErrorResponse
    477. 

  477. func updateUser(w http.ResponseWriter, r *http.Request) {
    478. 

  478. 	w.Header().Set("Content-Type", "application/json")
    479. 

  479. 	var params = mux.Vars(r)
    480. 

  480. 	// start here
    481. 

  481. 	var caller *models.User
    482. 

  482. 	var err error
    483. 

  483. 	var ismaster bool
    484. 

  484. 	if r.Header.Get("user") == logic.MasterUser {
    485. 

  485. 		ismaster = true
    486. 

  486. 	} else {
    487. 

  487. 		caller, err = logic.GetUser(r.Header.Get("user"))
    488. 

  488. 		if err != nil {
    489. 

  489. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    490. 

  490. 		}
    491. 

  491. 	}
    492. 

  492. 

  493. 	username := params["username"]
    494. 

  494. 	user, err := logic.GetUser(username)
    495. 

  495. 	if err != nil {
    496. 

  496. 		logger.Log(0, username,
    497. 

  497. 			"failed to update user info: ", err.Error())
    498. 

  498. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    499. 

  499. 		return
    500. 

  500. 	}
    501. 

  501. 	var userchange models.User
    502. 

  502. 	// we decode our body request params
    503. 

  503. 	err = json.NewDecoder(r.Body).Decode(&userchange)
    504. 

  504. 	if err != nil {
    505. 

  505. 		slog.Error("failed to decode body", "error ", err.Error())
    506. 

  506. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    507. 

  507. 		return
    508. 

  508. 	}
    509. 

  509. 	if user.UserName != userchange.UserName {
    510. 

  510. 		logic.ReturnErrorResponse(
    511. 

  511. 			w,
    512. 

  512. 			r,
    513. 

  513. 			logic.FormatError(
    514. 

  514. 				errors.New("user in param and request body not matching"),
    515. 

  515. 				"badrequest",
    516. 

  516. 			),
    517. 

  517. 		)
    518. 

  518. 		return
    519. 

  519. 	}
    520. 

  520. 	selfUpdate := false
    521. 

  521. 	if !ismaster && caller.UserName == user.UserName {
    522. 

  522. 		selfUpdate = true
    523. 

  523. 	}
    524. 

  524. 

  525. 	if !ismaster && !selfUpdate {
    526. 

  526. 		if caller.PlatformRoleID == models.AdminRole && user.PlatformRoleID == models.SuperAdminRole {
    527. 

  527. 			slog.Error("non-superadmin user", "caller", caller.UserName, "attempted to update superadmin user", username)
    528. 

  528. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot update superadmin user"), "forbidden"))
    529. 

  529. 			return
    530. 

  530. 		}
    531. 

  531. 		if caller.PlatformRoleID != models.AdminRole && caller.PlatformRoleID != models.SuperAdminRole {
    532. 

  532. 			slog.Error("operation not allowed", "caller", caller.UserName, "attempted to update user", username)
    533. 

  533. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot update superadmin user"), "forbidden"))
    534. 

  534. 			return
    535. 

  535. 		}
    536. 

  536. 		if caller.PlatformRoleID == models.AdminRole && user.PlatformRoleID == models.AdminRole {
    537. 

  537. 			slog.Error("admin user cannot update another admin", "caller", caller.UserName, "attempted to update admin user", username)
    538. 

  538. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("admin user cannot update another admin"), "forbidden"))
    539. 

  539. 			return
    540. 

  540. 		}
    541. 

  541. 		if caller.PlatformRoleID == models.AdminRole && userchange.PlatformRoleID == models.AdminRole {
    542. 

  542. 			err = errors.New("admin user cannot update role of an another user to admin")
    543. 

  543. 			slog.Error(
    544. 

  544. 				"failed to update user",
    545. 

  545. 				"caller",
    546. 

  546. 				caller.UserName,
    547. 

  547. 				"attempted to update user",
    548. 

  548. 				username,
    549. 

  549. 				"error",
    550. 

  550. 				err,
    551. 

  551. 			)
    552. 

  552. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    553. 

  553. 			return
    554. 

  554. 		}
    555. 

  555. 

  556. 	}
    557. 

  557. 	if !ismaster && selfUpdate {
    558. 

  558. 		if user.PlatformRoleID != userchange.PlatformRoleID {
    559. 

  559. 			slog.Error("user cannot change his own role", "caller", caller.UserName, "attempted to update user role", username)
    560. 

  560. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("user not allowed to self assign role"), "forbidden"))
    561. 

  561. 			return
    562. 

  562. 

  563. 		}
    564. 

  564. 		if servercfg.IsPro {
    565. 

  565. 			// user cannot update his own roles and groups
    566. 

  566. 			if len(user.NetworkRoles) != len(userchange.NetworkRoles) || !reflect.DeepEqual(user.NetworkRoles, userchange.NetworkRoles) {
    567. 

  567. 				err = errors.New("user cannot update self update their network roles")
    568. 

  568. 				slog.Error("failed to update user", "caller", caller.UserName, "attempted to update user", username, "error", err)
    569. 

  569. 				logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    570. 

  570. 				return
    571. 

  571. 			}
    572. 

  572. 			// user cannot update his own roles and groups
    573. 

  573. 			if len(user.UserGroups) != len(userchange.UserGroups) || !reflect.DeepEqual(user.UserGroups, userchange.UserGroups) {
    574. 

  574. 				err = errors.New("user cannot update self update their groups")
    575. 

  575. 				slog.Error("failed to update user", "caller", caller.UserName, "attempted to update user", username, "error", err)
    576. 

  576. 				logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    577. 

  577. 				return
    578. 

  578. 			}
    579. 

  579. 		}
    580. 

  580. 

  581. 	}
    582. 

  582. 	if ismaster {
    583. 

  583. 		if user.PlatformRoleID != models.SuperAdminRole && userchange.PlatformRoleID == models.SuperAdminRole {
    584. 

  584. 			slog.Error("operation not allowed", "caller", logic.MasterUser, "attempted to update user role to superadmin", username)
    585. 

  585. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("attempted to update user role to superadmin"), "forbidden"))
    586. 

  586. 			return
    587. 

  587. 		}
    588. 

  588. 	}
    589. 

  589. 

  590. 	if logic.IsOauthUser(user) == nil && userchange.Password != "" {
    591. 

  591. 		err := fmt.Errorf("cannot update user's password for an oauth user %s", username)
    592. 

  592. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    593. 

  593. 		return
    594. 

  594. 	}
    595. 

  595. 

  596. 	user, err = logic.UpdateUser(&userchange, user)
    597. 

  597. 	if err != nil {
    598. 

  598. 		logger.Log(0, username,
    599. 

  599. 			"failed to update user info: ", err.Error())
    600. 

  600. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    601. 

  601. 		return
    602. 

  602. 	}
    603. 

  603. 	go mq.PublishPeerUpdate(false)
    604. 

  604. 	logger.Log(1, username, "was updated")
    605. 

  605. 	json.NewEncoder(w).Encode(logic.ToReturnUser(*user))
    606. 

  606. }
    607. 

  607. 

  608. // @Summary     Delete a user
    609. 

  609. // @Router      /api/users/{username} [delete]
    610. 

  610. // @Tags        Users
    611. 

  611. // @Param       username path string true "Username of the user to delete"
    612. 

  612. // @Success     200 {string} string
    613. 

  613. // @Failure     500 {object} models.ErrorResponse
    614. 

  614. func deleteUser(w http.ResponseWriter, r *http.Request) {
    615. 

  615. 	// Set header
    616. 

  616. 	w.Header().Set("Content-Type", "application/json")
    617. 

  617. 

  618. 	// get params
    619. 

  619. 	var params = mux.Vars(r)
    620. 

  620. 	caller, err := logic.GetUser(r.Header.Get("user"))
    621. 

  621. 	if err != nil {
    622. 

  622. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    623. 

  623. 	}
    624. 

  624. 	callerUserRole, err := logic.GetRole(caller.PlatformRoleID)
    625. 

  625. 	if err != nil {
    626. 

  626. 		slog.Error("failed to get role ", "role", callerUserRole.ID, "error", err)
    627. 

  627. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    628. 

  628. 		return
    629. 

  629. 	}
    630. 

  630. 	username := params["username"]
    631. 

  631. 	user, err := logic.GetUser(username)
    632. 

  632. 	if err != nil {
    633. 

  633. 		logger.Log(0, username,
    634. 

  634. 			"failed to update user info: ", err.Error())
    635. 

  635. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    636. 

  636. 		return
    637. 

  637. 	}
    638. 

  638. 	userRole, err := logic.GetRole(user.PlatformRoleID)
    639. 

  639. 	if err != nil {
    640. 

  640. 		slog.Error("failed to get role ", "role", userRole.ID, "error", err)
    641. 

  641. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    642. 

  642. 		return
    643. 

  643. 	}
    644. 

  644. 	if userRole.ID == models.SuperAdminRole {
    645. 

  645. 		slog.Error(
    646. 

  646. 			"failed to delete user: ", "user", username, "error", "superadmin cannot be deleted")
    647. 

  647. 		logic.ReturnErrorResponse(
    648. 

  648. 			w,
    649. 

  649. 			r,
    650. 

  650. 			logic.FormatError(fmt.Errorf("superadmin cannot be deleted"), "internal"),
    651. 

  651. 		)
    652. 

  652. 		return
    653. 

  653. 	}
    654. 

  654. 	if callerUserRole.ID != models.SuperAdminRole {
    655. 

  655. 		if callerUserRole.ID == models.AdminRole && userRole.ID == models.AdminRole {
    656. 

  656. 			slog.Error(
    657. 

  657. 				"failed to delete user: ",
    658. 

  658. 				"user",
    659. 

  659. 				username,
    660. 

  660. 				"error",
    661. 

  661. 				"admin cannot delete another admin user, including oneself",
    662. 

  662. 			)
    663. 

  663. 			logic.ReturnErrorResponse(
    664. 

  664. 				w,
    665. 

  665. 				r,
    666. 

  666. 				logic.FormatError(
    667. 

  667. 					fmt.Errorf("admin cannot delete another admin user, including oneself"),
    668. 

  668. 					"internal",
    669. 

  669. 				),
    670. 

  670. 			)
    671. 

  671. 			return
    672. 

  672. 		}
    673. 

  673. 	}
    674. 

  674. 	success, err := logic.DeleteUser(username)
    675. 

  675. 	if err != nil {
    676. 

  676. 		logger.Log(0, username,
    677. 

  677. 			"failed to delete user: ", err.Error())
    678. 

  678. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    679. 

  679. 		return
    680. 

  680. 	} else if !success {
    681. 

  681. 		err := errors.New("delete unsuccessful")
    682. 

  682. 		logger.Log(0, username, err.Error())
    683. 

  683. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    684. 

  684. 		return
    685. 

  685. 	}
    686. 

  686. 	// check and delete extclient with this ownerID
    687. 

  687. 	go func() {
    688. 

  688. 		extclients, err := logic.GetAllExtClients()
    689. 

  689. 		if err != nil {
    690. 

  690. 			slog.Error("failed to get extclients", "error", err)
    691. 

  691. 			return
    692. 

  692. 		}
    693. 

  693. 		for _, extclient := range extclients {
    694. 

  694. 			if extclient.OwnerID == user.UserName {
    695. 

  695. 				err = logic.DeleteExtClientAndCleanup(extclient)
    696. 

  696. 				if err != nil {
    697. 

  697. 					slog.Error("failed to delete extclient",
    698. 

  698. 						"id", extclient.ClientID, "owner", username, "error", err)
    699. 

  699. 				} else {
    700. 

  700. 					if err := mq.PublishDeletedClientPeerUpdate(&extclient); err != nil {
    701. 

  701. 						slog.Error("error setting ext peers: " + err.Error())
    702. 

  702. 					}
    703. 

  703. 				}
    704. 

  704. 			}
    705. 

  705. 		}
    706. 

  706. 		mq.PublishPeerUpdate(false)
    707. 

  707. 		if servercfg.IsDNSMode() {
    708. 

  708. 			logic.SetDNS()
    709. 

  709. 		}
    710. 

  710. 	}()
    711. 

  711. 	logger.Log(1, username, "was deleted")
    712. 

  712. 	json.NewEncoder(w).Encode(params["username"] + " deleted.")
    713. 

  713. }
    714. 

  714. 

  715. // Called when vpn client dials in to start the auth flow and first stage is to get register URL itself
    716. 

  716. func socketHandler(w http.ResponseWriter, r *http.Request) {
    717. 

  717. 	// Upgrade our raw HTTP connection to a websocket based one
    718. 

  718. 	conn, err := upgrader.Upgrade(w, r, nil)
    719. 

  719. 	if err != nil {
    720. 

  720. 		logger.Log(0, "error during connection upgrade for node sign-in:", err.Error())
    721. 

  721. 		return
    722. 

  722. 	}
    723. 

  723. 	if conn == nil {
    724. 

  724. 		logger.Log(0, "failed to establish web-socket connection during node sign-in")
    725. 

  725. 		return
    726. 

  726. 	}
    727. 

  727. 	// Start handling the session
    728. 

  728. 	go auth.SessionHandler(conn)
    729. 

  729. }
    730. 

  730. 

  731. // @Summary     lists all user roles.
    732. 

  732. // @Router      /api/v1/user/roles [get]
    733. 

  733. // @Tags        Users
    734. 

  734. // @Param       role_id query string true "roleid required to get the role details"
    735. 

  735. // @Success     200 {object}  []models.UserRolePermissionTemplate
    736. 

  736. // @Failure     500 {object} models.ErrorResponse
    737. 

  737. func listRoles(w http.ResponseWriter, r *http.Request) {
    738. 

  738. 	var roles []models.UserRolePermissionTemplate
    739. 

  739. 	var err error
    740. 

  740. 	roles, err = logic.ListPlatformRoles()
    741. 

  741. 	if err != nil {
    742. 

  742. 		logic.ReturnErrorResponse(w, r, models.ErrorResponse{
    743. 

  743. 			Code:    http.StatusInternalServerError,
    744. 

  744. 			Message: err.Error(),
    745. 

  745. 		})
    746. 

  746. 		return
    747. 

  747. 	}
    748. 

  748. 

  749. 	logic.ReturnSuccessResponseWithJson(w, r, roles, "successfully fetched user roles permission templates")
    750. 

  750. }
    751.