Home Explore Help
Sign In
golang
/
netmaker
mirror of https://github.com/gravitl/netmaker
2
0
Fork 0
Files Issues 0 Wiki
Branch: NM-120
Branches Tags
netmaker
/
pro
/
controllers
/
users.go

users.go 62 KB
Permalink History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996 
  1. package controllers
    2. 

  2. 

  3. import (
    4. 

  4. 	"context"
    5. 

  5. 	"encoding/json"
    6. 

  6. 	"errors"
    7. 

  7. 	"fmt"
    8. 

  8. 	"net/http"
    9. 

  9. 	"net/url"
    10. 

  10. 	"strings"
    11. 

  11. 	"time"
    12. 

  12. 

  13. 	"github.com/google/uuid"
    14. 

  14. 	"github.com/gorilla/mux"
    15. 

  15. 	"github.com/gravitl/netmaker/database"
    16. 

  16. 	"github.com/gravitl/netmaker/logger"
    17. 

  17. 	"github.com/gravitl/netmaker/logic"
    18. 

  18. 	"github.com/gravitl/netmaker/models"
    19. 

  19. 	"github.com/gravitl/netmaker/mq"
    20. 

  20. 	proAuth "github.com/gravitl/netmaker/pro/auth"
    21. 

  21. 	"github.com/gravitl/netmaker/pro/email"
    22. 

  22. 	"github.com/gravitl/netmaker/pro/idp"
    23. 

  23. 	"github.com/gravitl/netmaker/pro/idp/azure"
    24. 

  24. 	"github.com/gravitl/netmaker/pro/idp/google"
    25. 

  25. 	"github.com/gravitl/netmaker/pro/idp/okta"
    26. 

  26. 	proLogic "github.com/gravitl/netmaker/pro/logic"
    27. 

  27. 	"github.com/gravitl/netmaker/servercfg"
    28. 

  28. 	"github.com/gravitl/netmaker/utils"
    29. 

  29. 	"golang.org/x/exp/slog"
    30. 

  30. )
    31. 

  31. 

  32. func UserHandlers(r *mux.Router) {
    33. 

  33. 

  34. 	r.HandleFunc("/api/oauth/login", proAuth.HandleAuthLogin).Methods(http.MethodGet)
    35. 

  35. 	r.HandleFunc("/api/oauth/callback", proAuth.HandleAuthCallback).Methods(http.MethodGet)
    36. 

  36. 	r.HandleFunc("/api/oauth/headless", proAuth.HandleHeadlessSSO)
    37. 

  37. 	r.HandleFunc("/api/oauth/register/{regKey}", proAuth.RegisterHostSSO).Methods(http.MethodGet)
    38. 

  38. 

  39. 	// User Role Handlers
    40. 

  40. 	r.HandleFunc("/api/v1/users/role", logic.SecurityCheck(true, http.HandlerFunc(getRole))).Methods(http.MethodGet)
    41. 

  41. 	r.HandleFunc("/api/v1/users/role", logic.SecurityCheck(true, http.HandlerFunc(createRole))).Methods(http.MethodPost)
    42. 

  42. 	r.HandleFunc("/api/v1/users/role", logic.SecurityCheck(true, http.HandlerFunc(updateRole))).Methods(http.MethodPut)
    43. 

  43. 	r.HandleFunc("/api/v1/users/role", logic.SecurityCheck(true, http.HandlerFunc(deleteRole))).Methods(http.MethodDelete)
    44. 

  44. 

  45. 	// User Group Handlers
    46. 

  46. 	r.HandleFunc("/api/v1/users/groups", logic.SecurityCheck(true, http.HandlerFunc(listUserGroups))).Methods(http.MethodGet)
    47. 

  47. 	r.HandleFunc("/api/v1/users/group", logic.SecurityCheck(true, http.HandlerFunc(getUserGroup))).Methods(http.MethodGet)
    48. 

  48. 	r.HandleFunc("/api/v1/users/group", logic.SecurityCheck(true, http.HandlerFunc(createUserGroup))).Methods(http.MethodPost)
    49. 

  49. 	r.HandleFunc("/api/v1/users/group", logic.SecurityCheck(true, http.HandlerFunc(updateUserGroup))).Methods(http.MethodPut)
    50. 

  50. 	r.HandleFunc("/api/v1/users/group", logic.SecurityCheck(true, http.HandlerFunc(deleteUserGroup))).Methods(http.MethodDelete)
    51. 

  51. 	r.HandleFunc("/api/v1/users/add_network_user", logic.SecurityCheck(true, http.HandlerFunc(addUsertoNetwork))).Methods(http.MethodPut)
    52. 

  52. 	r.HandleFunc("/api/v1/users/remove_network_user", logic.SecurityCheck(true, http.HandlerFunc(removeUserfromNetwork))).Methods(http.MethodPut)
    53. 

  53. 

  54. 	// User Invite Handlers
    55. 

  55. 	r.HandleFunc("/api/v1/users/invite", userInviteVerify).Methods(http.MethodGet)
    56. 

  56. 	r.HandleFunc("/api/v1/users/invite-signup", userInviteSignUp).Methods(http.MethodPost)
    57. 

  57. 	r.HandleFunc("/api/v1/users/invite", logic.SecurityCheck(true, http.HandlerFunc(inviteUsers))).Methods(http.MethodPost)
    58. 

  58. 	r.HandleFunc("/api/v1/users/invites", logic.SecurityCheck(true, http.HandlerFunc(listUserInvites))).Methods(http.MethodGet)
    59. 

  59. 	r.HandleFunc("/api/v1/users/invite", logic.SecurityCheck(true, http.HandlerFunc(deleteUserInvite))).Methods(http.MethodDelete)
    60. 

  60. 	r.HandleFunc("/api/v1/users/invites", logic.SecurityCheck(true, http.HandlerFunc(deleteAllUserInvites))).Methods(http.MethodDelete)
    61. 

  61. 

  62. 	r.HandleFunc("/api/users_pending", logic.SecurityCheck(true, http.HandlerFunc(getPendingUsers))).Methods(http.MethodGet)
    63. 

  63. 	r.HandleFunc("/api/users_pending", logic.SecurityCheck(true, http.HandlerFunc(deleteAllPendingUsers))).Methods(http.MethodDelete)
    64. 

  64. 	r.HandleFunc("/api/users_pending/user/{username}", logic.SecurityCheck(true, http.HandlerFunc(deletePendingUser))).Methods(http.MethodDelete)
    65. 

  65. 	r.HandleFunc("/api/users_pending/user/{username}", logic.SecurityCheck(true, http.HandlerFunc(approvePendingUser))).Methods(http.MethodPost)
    66. 

  66. 

  67. 	r.HandleFunc("/api/users/{username}/remote_access_gw/{remote_access_gateway_id}", logic.SecurityCheck(true, http.HandlerFunc(attachUserToRemoteAccessGw))).Methods(http.MethodPost)
    68. 

  68. 	r.HandleFunc("/api/users/{username}/remote_access_gw/{remote_access_gateway_id}", logic.SecurityCheck(true, http.HandlerFunc(removeUserFromRemoteAccessGW))).Methods(http.MethodDelete)
    69. 

  69. 	r.HandleFunc("/api/users/{username}/remote_access_gw", logic.SecurityCheck(false, logic.ContinueIfUserMatch(http.HandlerFunc(getUserRemoteAccessGwsV1)))).Methods(http.MethodGet)
    70. 

  70. 	r.HandleFunc("/api/users/ingress/{ingress_id}", logic.SecurityCheck(true, http.HandlerFunc(ingressGatewayUsers))).Methods(http.MethodGet)
    71. 

  71. 

  72. 	r.HandleFunc("/api/idp/sync", logic.SecurityCheck(true, http.HandlerFunc(syncIDP))).Methods(http.MethodPost)
    73. 

  73. 	r.HandleFunc("/api/idp/sync/test", logic.SecurityCheck(true, http.HandlerFunc(testIDPSync))).Methods(http.MethodPost)
    74. 

  74. 	r.HandleFunc("/api/idp/sync/status", logic.SecurityCheck(true, http.HandlerFunc(getIDPSyncStatus))).Methods(http.MethodGet)
    75. 

  75. 	r.HandleFunc("/api/idp", logic.SecurityCheck(true, http.HandlerFunc(removeIDPIntegration))).Methods(http.MethodDelete)
    76. 

  76. }
    77. 

  77. 

  78. // swagger:route POST /api/v1/users/invite-signup user userInviteSignUp
    79. 

  79. //
    80. 

  80. // user signup via invite.
    81. 

  81. //
    82. 

  82. //	Schemes: https
    83. 

  83. //
    84. 

  84. //	Responses:
    85. 

  85. //		200: ReturnSuccessResponse
    86. 

  86. func userInviteSignUp(w http.ResponseWriter, r *http.Request) {
    87. 

  87. 	email := r.URL.Query().Get("email")
    88. 

  88. 	code := r.URL.Query().Get("invite_code")
    89. 

  89. 	in, err := logic.GetUserInvite(email)
    90. 

  90. 	if err != nil {
    91. 

  91. 		logger.Log(0, "failed to fetch users: ", err.Error())
    92. 

  92. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    93. 

  93. 		return
    94. 

  94. 	}
    95. 

  95. 	if code != in.InviteCode {
    96. 

  96. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("invalid invite code"), "badrequest"))
    97. 

  97. 		return
    98. 

  98. 	}
    99. 

  99. 	// check if user already exists
    100. 

  100. 	_, err = logic.GetUser(email)
    101. 

  101. 	if err == nil {
    102. 

  102. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("user already exists"), "badrequest"))
    103. 

  103. 		return
    104. 

  104. 	}
    105. 

  105. 	var user models.User
    106. 

  106. 	err = json.NewDecoder(r.Body).Decode(&user)
    107. 

  107. 	if err != nil {
    108. 

  108. 		logger.Log(0, user.UserName, "error decoding request body: ",
    109. 

  109. 			err.Error())
    110. 

  110. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    111. 

  111. 		return
    112. 

  112. 	}
    113. 

  113. 	if user.UserName != email {
    114. 

  114. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("username not matching with invite"), "badrequest"))
    115. 

  115. 		return
    116. 

  116. 	}
    117. 

  117. 	if user.Password == "" {
    118. 

  118. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("password cannot be empty"), "badrequest"))
    119. 

  119. 		return
    120. 

  120. 	}
    121. 

  121. 

  122. 	user.UserGroups = in.UserGroups
    123. 

  123. 	user.PlatformRoleID = models.UserRoleID(in.PlatformRoleID)
    124. 

  124. 	if user.PlatformRoleID == "" {
    125. 

  125. 		user.PlatformRoleID = models.ServiceUser
    126. 

  126. 	}
    127. 

  127. 	user.NetworkRoles = in.NetworkRoles
    128. 

  128. 	err = logic.CreateUser(&user)
    129. 

  129. 	if err != nil {
    130. 

  130. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    131. 

  131. 		return
    132. 

  132. 	}
    133. 

  133. 	// delete invite
    134. 

  134. 	logic.DeleteUserInvite(email)
    135. 

  135. 	logic.DeletePendingUser(email)
    136. 

  136. 	w.Header().Set("Access-Control-Allow-Origin", "*")
    137. 

  137. 	logic.ReturnSuccessResponse(w, r, "created user successfully "+email)
    138. 

  138. }
    139. 

  139. 

  140. // swagger:route GET /api/v1/users/invite user userInviteVerify
    141. 

  141. //
    142. 

  142. // verfies user invite.
    143. 

  143. //
    144. 

  144. //	Schemes: https
    145. 

  145. //
    146. 

  146. //	Responses:
    147. 

  147. //		200: ReturnSuccessResponse
    148. 

  148. func userInviteVerify(w http.ResponseWriter, r *http.Request) {
    149. 

  149. 	email := r.URL.Query().Get("email")
    150. 

  150. 	code := r.URL.Query().Get("invite_code")
    151. 

  151. 	err := logic.ValidateAndApproveUserInvite(email, code)
    152. 

  152. 	if err != nil {
    153. 

  153. 		logger.Log(0, "failed to fetch users: ", err.Error())
    154. 

  154. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    155. 

  155. 		return
    156. 

  156. 	}
    157. 

  157. 	logic.ReturnSuccessResponse(w, r, "invite is valid")
    158. 

  158. }
    159. 

  159. 

  160. // swagger:route POST /api/v1/users/invite user inviteUsers
    161. 

  161. //
    162. 

  162. // invite users.
    163. 

  163. //
    164. 

  164. //			Schemes: https
    165. 

  165. //
    166. 

  166. //			Security:
    167. 

  167. //	  		oauth
    168. 

  168. //
    169. 

  169. //			Responses:
    170. 

  170. //				200: userBodyResponse
    171. 

  171. func inviteUsers(w http.ResponseWriter, r *http.Request) {
    172. 

  172. 	var inviteReq models.InviteUsersReq
    173. 

  173. 	err := json.NewDecoder(r.Body).Decode(&inviteReq)
    174. 

  174. 	if err != nil {
    175. 

  175. 		slog.Error("error decoding request body", "error",
    176. 

  176. 			err.Error())
    177. 

  177. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    178. 

  178. 		return
    179. 

  179. 	}
    180. 

  180. 	callerUserName := r.Header.Get("user")
    181. 

  181. 	if r.Header.Get("ismaster") != "yes" {
    182. 

  182. 		caller, err := logic.GetUser(callerUserName)
    183. 

  183. 		if err != nil {
    184. 

  184. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "notfound"))
    185. 

  185. 			return
    186. 

  186. 		}
    187. 

  187. 		if inviteReq.PlatformRoleID == models.SuperAdminRole.String() {
    188. 

  188. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("super admin cannot be invited"), "badrequest"))
    189. 

  189. 			return
    190. 

  190. 		}
    191. 

  191. 		if inviteReq.PlatformRoleID == "" {
    192. 

  192. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("platform role id cannot be empty"), "badrequest"))
    193. 

  193. 			return
    194. 

  194. 		}
    195. 

  195. 		if (inviteReq.PlatformRoleID == models.AdminRole.String() ||
    196. 

  196. 			inviteReq.PlatformRoleID == models.SuperAdminRole.String()) && caller.PlatformRoleID != models.SuperAdminRole {
    197. 

  197. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("only superadmin can invite admin users"), "forbidden"))
    198. 

  198. 			return
    199. 

  199. 		}
    200. 

  200. 	}
    201. 

  201. 

  202. 	//validate Req
    203. 

  203. 	err = proLogic.IsGroupsValid(inviteReq.UserGroups)
    204. 

  204. 	if err != nil {
    205. 

  205. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    206. 

  206. 		return
    207. 

  207. 	}
    208. 

  208. 	err = proLogic.IsNetworkRolesValid(inviteReq.NetworkRoles)
    209. 

  209. 	if err != nil {
    210. 

  210. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    211. 

  211. 		return
    212. 

  212. 	}
    213. 

  213. 

  214. 	// check platform role
    215. 

  215. 	_, err = logic.GetRole(models.UserRoleID(inviteReq.PlatformRoleID))
    216. 

  216. 	if err != nil {
    217. 

  217. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    218. 

  218. 		return
    219. 

  219. 	}
    220. 

  220. 	for _, inviteeEmail := range inviteReq.UserEmails {
    221. 

  221. 		inviteeEmail = strings.ToLower(inviteeEmail)
    222. 

  222. 		// check if user with email exists, then ignore
    223. 

  223. 		if !email.IsValid(inviteeEmail) {
    224. 

  224. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("invalid email "+inviteeEmail), "badrequest"))
    225. 

  225. 			return
    226. 

  226. 		}
    227. 

  227. 		_, err := logic.GetUser(inviteeEmail)
    228. 

  228. 		if err == nil {
    229. 

  229. 			// user exists already, so ignore
    230. 

  230. 			continue
    231. 

  231. 		}
    232. 

  232. 		invite := models.UserInvite{
    233. 

  233. 			Email:          inviteeEmail,
    234. 

  234. 			PlatformRoleID: inviteReq.PlatformRoleID,
    235. 

  235. 			UserGroups:     inviteReq.UserGroups,
    236. 

  236. 			NetworkRoles:   inviteReq.NetworkRoles,
    237. 

  237. 			InviteCode:     logic.RandomString(8),
    238. 

  238. 		}
    239. 

  239. 		frontendURL := strings.TrimSuffix(servercfg.GetFrontendURL(), "/")
    240. 

  240. 		if frontendURL == "" {
    241. 

  241. 			frontendURL = fmt.Sprintf("https://dashboard.%s", servercfg.GetNmBaseDomain())
    242. 

  242. 		}
    243. 

  243. 		u, err := url.Parse(fmt.Sprintf("%s/invite?email=%s&invite_code=%s",
    244. 

  244. 			frontendURL, url.QueryEscape(invite.Email), url.QueryEscape(invite.InviteCode)))
    245. 

  245. 		if err != nil {
    246. 

  246. 			slog.Error("failed to parse to invite url", "error", err)
    247. 

  247. 			return
    248. 

  248. 		}
    249. 

  249. 		if servercfg.DeployedByOperator() {
    250. 

  250. 			u, err = url.Parse(fmt.Sprintf("%s/invite?tenant_id=%s&email=%s&invite_code=%s",
    251. 

  251. 				proLogic.GetAccountsUIHost(), url.QueryEscape(servercfg.GetNetmakerTenantID()), url.QueryEscape(invite.Email), url.QueryEscape(invite.InviteCode)))
    252. 

  252. 			if err != nil {
    253. 

  253. 				slog.Error("failed to parse to invite url", "error", err)
    254. 

  254. 				return
    255. 

  255. 			}
    256. 

  256. 		}
    257. 

  257. 		invite.InviteURL = u.String()
    258. 

  258. 		err = logic.InsertUserInvite(invite)
    259. 

  259. 		if err != nil {
    260. 

  260. 			slog.Error("failed to insert invite for user", "email", invite.Email, "error", err)
    261. 

  261. 		}
    262. 

  262. 		logic.LogEvent(&models.Event{
    263. 

  263. 			Action: models.Create,
    264. 

  264. 			Source: models.Subject{
    265. 

  265. 				ID:   callerUserName,
    266. 

  266. 				Name: callerUserName,
    267. 

  267. 				Type: models.UserSub,
    268. 

  268. 				Info: invite,
    269. 

  269. 			},
    270. 

  270. 			TriggeredBy: callerUserName,
    271. 

  271. 			Target: models.Subject{
    272. 

  272. 				ID:   inviteeEmail,
    273. 

  273. 				Name: inviteeEmail,
    274. 

  274. 				Type: models.UserInviteSub,
    275. 

  275. 			},
    276. 

  276. 			Origin: models.Dashboard,
    277. 

  277. 		})
    278. 

  278. 		// notify user with magic link
    279. 

  279. 		go func(invite models.UserInvite) {
    280. 

  280. 			// Set E-Mail body. You can set plain text or html with text/html
    281. 

  281. 

  282. 			e := email.UserInvitedMail{
    283. 

  283. 				BodyBuilder:    &email.EmailBodyBuilderWithH1HeadlineAndImage{},
    284. 

  284. 				InviteURL:      invite.InviteURL,
    285. 

  285. 				PlatformRoleID: invite.PlatformRoleID,
    286. 

  286. 			}
    287. 

  287. 			n := email.Notification{
    288. 

  288. 				RecipientMail: invite.Email,
    289. 

  289. 			}
    290. 

  290. 			err = email.GetClient().SendEmail(context.Background(), n, e)
    291. 

  291. 			if err != nil {
    292. 

  292. 				slog.Error("failed to send email invite", "user", invite.Email, "error", err)
    293. 

  293. 			}
    294. 

  294. 		}(invite)
    295. 

  295. 	}
    296. 

  296. 

  297. 	logic.ReturnSuccessResponse(w, r, "triggered user invites")
    298. 

  298. }
    299. 

  299. 

  300. // swagger:route GET /api/v1/users/invites user listUserInvites
    301. 

  301. //
    302. 

  302. // lists all pending invited users.
    303. 

  303. //
    304. 

  304. //			Schemes: https
    305. 

  305. //
    306. 

  306. //			Security:
    307. 

  307. //	  		oauth
    308. 

  308. //
    309. 

  309. //			Responses:
    310. 

  310. //				200: ReturnSuccessResponseWithJson
    311. 

  311. func listUserInvites(w http.ResponseWriter, r *http.Request) {
    312. 

  312. 	usersInvites, err := logic.ListUserInvites()
    313. 

  313. 	if err != nil {
    314. 

  314. 		logger.Log(0, "failed to fetch users: ", err.Error())
    315. 

  315. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    316. 

  316. 		return
    317. 

  317. 	}
    318. 

  318. 	logic.ReturnSuccessResponseWithJson(w, r, usersInvites, "fetched pending user invites")
    319. 

  319. }
    320. 

  320. 

  321. // swagger:route DELETE /api/v1/users/invite user deleteUserInvite
    322. 

  322. //
    323. 

  323. // delete pending invite.
    324. 

  324. //
    325. 

  325. //			Schemes: https
    326. 

  326. //
    327. 

  327. //			Security:
    328. 

  328. //	  		oauth
    329. 

  329. //
    330. 

  330. //			Responses:
    331. 

  331. //				200: ReturnSuccessResponse
    332. 

  332. func deleteUserInvite(w http.ResponseWriter, r *http.Request) {
    333. 

  333. 	email := r.URL.Query().Get("invitee_email")
    334. 

  334. 	err := logic.DeleteUserInvite(email)
    335. 

  335. 	if err != nil {
    336. 

  336. 		logger.Log(0, "failed to delete user invite: ", email, err.Error())
    337. 

  337. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    338. 

  338. 		return
    339. 

  339. 	}
    340. 

  340. 	logic.LogEvent(&models.Event{
    341. 

  341. 		Action: models.Delete,
    342. 

  342. 		Source: models.Subject{
    343. 

  343. 			ID:   r.Header.Get("user"),
    344. 

  344. 			Name: r.Header.Get("user"),
    345. 

  345. 			Type: models.UserSub,
    346. 

  346. 		},
    347. 

  347. 		TriggeredBy: r.Header.Get("user"),
    348. 

  348. 		Target: models.Subject{
    349. 

  349. 			ID:   email,
    350. 

  350. 			Name: email,
    351. 

  351. 			Type: models.UserInviteSub,
    352. 

  352. 		},
    353. 

  353. 		Origin: models.Dashboard,
    354. 

  354. 	})
    355. 

  355. 	logic.ReturnSuccessResponse(w, r, "deleted user invite")
    356. 

  356. }
    357. 

  357. 

  358. // swagger:route DELETE /api/v1/users/invites user deleteAllUserInvites
    359. 

  359. //
    360. 

  360. // deletes all pending invites.
    361. 

  361. //
    362. 

  362. //			Schemes: https
    363. 

  363. //
    364. 

  364. //			Security:
    365. 

  365. //	  		oauth
    366. 

  366. //
    367. 

  367. //			Responses:
    368. 

  368. //				200: ReturnSuccessResponse
    369. 

  369. func deleteAllUserInvites(w http.ResponseWriter, r *http.Request) {
    370. 

  370. 	err := database.DeleteAllRecords(database.USER_INVITES_TABLE_NAME)
    371. 

  371. 	if err != nil {
    372. 

  372. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("failed to delete all pending user invites "+err.Error()), "internal"))
    373. 

  373. 		return
    374. 

  374. 	}
    375. 

  375. 	logic.LogEvent(&models.Event{
    376. 

  376. 		Action: models.DeleteAll,
    377. 

  377. 		Source: models.Subject{
    378. 

  378. 			ID:   r.Header.Get("user"),
    379. 

  379. 			Name: r.Header.Get("user"),
    380. 

  380. 			Type: models.UserSub,
    381. 

  381. 		},
    382. 

  382. 		TriggeredBy: r.Header.Get("user"),
    383. 

  383. 		Target: models.Subject{
    384. 

  384. 			ID:   "All Invites",
    385. 

  385. 			Name: "All Invites",
    386. 

  386. 			Type: models.UserInviteSub,
    387. 

  387. 		},
    388. 

  388. 		Origin: models.Dashboard,
    389. 

  389. 	})
    390. 

  390. 	logic.ReturnSuccessResponse(w, r, "cleared all pending user invites")
    391. 

  391. }
    392. 

  392. 

  393. // swagger:route GET /api/v1/user/groups user listUserGroups
    394. 

  394. //
    395. 

  395. // Get all user groups.
    396. 

  396. //
    397. 

  397. //			Schemes: https
    398. 

  398. //
    399. 

  399. //			Security:
    400. 

  400. //	  		oauth
    401. 

  401. //
    402. 

  402. //			Responses:
    403. 

  403. //				200: userBodyResponse
    404. 

  404. func listUserGroups(w http.ResponseWriter, r *http.Request) {
    405. 

  405. 	groups, err := proLogic.ListUserGroups()
    406. 

  406. 	if err != nil {
    407. 

  407. 		logic.ReturnErrorResponse(w, r, models.ErrorResponse{
    408. 

  408. 			Code:    http.StatusInternalServerError,
    409. 

  409. 			Message: err.Error(),
    410. 

  410. 		})
    411. 

  411. 		return
    412. 

  412. 	}
    413. 

  413. 	logic.ReturnSuccessResponseWithJson(w, r, groups, "successfully fetched user groups")
    414. 

  414. }
    415. 

  415. 

  416. // swagger:route GET /api/v1/user/group user getUserGroup
    417. 

  417. //
    418. 

  418. // Get user group.
    419. 

  419. //
    420. 

  420. //			Schemes: https
    421. 

  421. //
    422. 

  422. //			Security:
    423. 

  423. //	  		oauth
    424. 

  424. //
    425. 

  425. //			Responses:
    426. 

  426. //				200: userBodyResponse
    427. 

  427. func getUserGroup(w http.ResponseWriter, r *http.Request) {
    428. 

  428. 

  429. 	gid := r.URL.Query().Get("group_id")
    430. 

  430. 	if gid == "" {
    431. 

  431. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("group id is required"), "badrequest"))
    432. 

  432. 		return
    433. 

  433. 	}
    434. 

  434. 	group, err := proLogic.GetUserGroup(models.UserGroupID(gid))
    435. 

  435. 	if err != nil {
    436. 

  436. 		logic.ReturnErrorResponse(w, r, models.ErrorResponse{
    437. 

  437. 			Code:    http.StatusInternalServerError,
    438. 

  438. 			Message: err.Error(),
    439. 

  439. 		})
    440. 

  440. 		return
    441. 

  441. 	}
    442. 

  442. 	logic.ReturnSuccessResponseWithJson(w, r, group, "successfully fetched user group")
    443. 

  443. }
    444. 

  444. 

  445. // swagger:route POST /api/v1/user/group user createUserGroup
    446. 

  446. //
    447. 

  447. // Create user groups.
    448. 

  448. //
    449. 

  449. //			Schemes: https
    450. 

  450. //
    451. 

  451. //			Security:
    452. 

  452. //	  		oauth
    453. 

  453. //
    454. 

  454. //			Responses:
    455. 

  455. //				200: userBodyResponse
    456. 

  456. func createUserGroup(w http.ResponseWriter, r *http.Request) {
    457. 

  457. 	var userGroupReq models.CreateGroupReq
    458. 

  458. 	err := json.NewDecoder(r.Body).Decode(&userGroupReq)
    459. 

  459. 	if err != nil {
    460. 

  460. 		slog.Error("error decoding request body", "error",
    461. 

  461. 			err.Error())
    462. 

  462. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    463. 

  463. 		return
    464. 

  464. 	}
    465. 

  465. 	err = proLogic.ValidateCreateGroupReq(userGroupReq.Group)
    466. 

  466. 	if err != nil {
    467. 

  467. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    468. 

  468. 		return
    469. 

  469. 	}
    470. 

  470. 	err = proLogic.CreateUserGroup(&userGroupReq.Group)
    471. 

  471. 	if err != nil {
    472. 

  472. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    473. 

  473. 		return
    474. 

  474. 	}
    475. 

  475. 

  476. 	for _, userID := range userGroupReq.Members {
    477. 

  477. 		user, err := logic.GetUser(userID)
    478. 

  478. 		if err != nil {
    479. 

  479. 			continue
    480. 

  480. 		}
    481. 

  481. 		if len(user.UserGroups) == 0 {
    482. 

  482. 			user.UserGroups = make(map[models.UserGroupID]struct{})
    483. 

  483. 		}
    484. 

  484. 		user.UserGroups[userGroupReq.Group.ID] = struct{}{}
    485. 

  485. 		logic.UpsertUser(*user)
    486. 

  486. 	}
    487. 

  487. 	logic.LogEvent(&models.Event{
    488. 

  488. 		Action: models.Create,
    489. 

  489. 		Source: models.Subject{
    490. 

  490. 			ID:   r.Header.Get("user"),
    491. 

  491. 			Name: r.Header.Get("user"),
    492. 

  492. 			Type: models.UserSub,
    493. 

  493. 		},
    494. 

  494. 		TriggeredBy: r.Header.Get("user"),
    495. 

  495. 		Target: models.Subject{
    496. 

  496. 			ID:   userGroupReq.Group.ID.String(),
    497. 

  497. 			Name: userGroupReq.Group.Name,
    498. 

  498. 			Type: models.UserGroupSub,
    499. 

  499. 		},
    500. 

  500. 		Origin: models.Dashboard,
    501. 

  501. 	})
    502. 

  502. 	go mq.PublishPeerUpdate(false)
    503. 

  503. 	logic.ReturnSuccessResponseWithJson(w, r, userGroupReq.Group, "created user group")
    504. 

  504. }
    505. 

  505. 

  506. // swagger:route PUT /api/v1/user/group user updateUserGroup
    507. 

  507. //
    508. 

  508. // Update user group.
    509. 

  509. //
    510. 

  510. //			Schemes: https
    511. 

  511. //
    512. 

  512. //			Security:
    513. 

  513. //	  		oauth
    514. 

  514. //
    515. 

  515. //			Responses:
    516. 

  516. //				200: userBodyResponse
    517. 

  517. func updateUserGroup(w http.ResponseWriter, r *http.Request) {
    518. 

  518. 	var userGroup models.UserGroup
    519. 

  519. 	err := json.NewDecoder(r.Body).Decode(&userGroup)
    520. 

  520. 	if err != nil {
    521. 

  521. 		slog.Error("error decoding request body", "error",
    522. 

  522. 			err.Error())
    523. 

  523. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    524. 

  524. 		return
    525. 

  525. 	}
    526. 

  526. 	// fetch curr group
    527. 

  527. 	currUserG, err := proLogic.GetUserGroup(userGroup.ID)
    528. 

  528. 	if err != nil {
    529. 

  529. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    530. 

  530. 		return
    531. 

  531. 	}
    532. 

  532. 	if currUserG.Default {
    533. 

  533. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot update default user group"), "badrequest"))
    534. 

  534. 		return
    535. 

  535. 	}
    536. 

  536. 	err = proLogic.ValidateUpdateGroupReq(userGroup)
    537. 

  537. 	if err != nil {
    538. 

  538. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    539. 

  539. 		return
    540. 

  540. 	}
    541. 

  541. 

  542. 	userGroup.ExternalIdentityProviderID = currUserG.ExternalIdentityProviderID
    543. 

  543. 

  544. 	err = proLogic.UpdateUserGroup(userGroup)
    545. 

  545. 	if err != nil {
    546. 

  546. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    547. 

  547. 		return
    548. 

  548. 	}
    549. 

  549. 	logic.LogEvent(&models.Event{
    550. 

  550. 		Action: models.Update,
    551. 

  551. 		Source: models.Subject{
    552. 

  552. 			ID:   r.Header.Get("user"),
    553. 

  553. 			Name: r.Header.Get("user"),
    554. 

  554. 			Type: models.UserSub,
    555. 

  555. 		},
    556. 

  556. 		TriggeredBy: r.Header.Get("user"),
    557. 

  557. 		Target: models.Subject{
    558. 

  558. 			ID:   userGroup.ID.String(),
    559. 

  559. 			Name: userGroup.Name,
    560. 

  560. 			Type: models.UserGroupSub,
    561. 

  561. 		},
    562. 

  562. 		Diff: models.Diff{
    563. 

  563. 			Old: currUserG,
    564. 

  564. 			New: userGroup,
    565. 

  565. 		},
    566. 

  566. 		Origin: models.Dashboard,
    567. 

  567. 	})
    568. 

  568. 	replacePeers := false
    569. 

  569. 	go func() {
    570. 

  570. 		networksAdded := make([]models.NetworkID, 0)
    571. 

  571. 		networksRemoved := make([]models.NetworkID, 0)
    572. 

  572. 

  573. 		for networkID := range userGroup.NetworkRoles {
    574. 

  574. 			if _, ok := currUserG.NetworkRoles[networkID]; !ok {
    575. 

  575. 				networksAdded = append(networksAdded, networkID)
    576. 

  576. 			}
    577. 

  577. 		}
    578. 

  578. 

  579. 		for networkID := range currUserG.NetworkRoles {
    580. 

  580. 			if _, ok := userGroup.NetworkRoles[networkID]; !ok {
    581. 

  581. 				networksRemoved = append(networksRemoved, networkID)
    582. 

  582. 			}
    583. 

  583. 		}
    584. 

  584. 

  585. 		for _, networkID := range networksAdded {
    586. 

  586. 			// ensure the network exists.
    587. 

  587. 			network, err := logic.GetNetwork(networkID.String())
    588. 

  588. 			if err != nil {
    589. 

  589. 				continue
    590. 

  590. 			}
    591. 

  591. 

  592. 			// insert acl if the network is added to the group.
    593. 

  593. 			acl := models.Acl{
    594. 

  594. 				ID:          uuid.New().String(),
    595. 

  595. 				Name:        fmt.Sprintf("%s group", userGroup.Name),
    596. 

  596. 				MetaData:    "This Policy allows user group to communicate with all gateways",
    597. 

  597. 				Default:     false,
    598. 

  598. 				ServiceType: models.Any,
    599. 

  599. 				NetworkID:   models.NetworkID(network.NetID),
    600. 

  600. 				Proto:       models.ALL,
    601. 

  601. 				RuleType:    models.UserPolicy,
    602. 

  602. 				Src: []models.AclPolicyTag{
    603. 

  603. 					{
    604. 

  604. 						ID:    models.UserGroupAclID,
    605. 

  605. 						Value: userGroup.ID.String(),
    606. 

  606. 					},
    607. 

  607. 				},
    608. 

  608. 				Dst: []models.AclPolicyTag{
    609. 

  609. 					{
    610. 

  610. 						ID:    models.NodeTagID,
    611. 

  611. 						Value: fmt.Sprintf("%s.%s", models.NetworkID(network.NetID), models.GwTagName),
    612. 

  612. 					}},
    613. 

  613. 				AllowedDirection: models.TrafficDirectionUni,
    614. 

  614. 				Enabled:          true,
    615. 

  615. 				CreatedBy:        "auto",
    616. 

  616. 				CreatedAt:        time.Now().UTC(),
    617. 

  617. 			}
    618. 

  618. 			_ = logic.InsertAcl(acl)
    619. 

  619. 			replacePeers = true
    620. 

  620. 		}
    621. 

  621. 

  622. 		// since this group doesn't have a role for this network,
    623. 

  623. 		// there is no point in having this group as src in any
    624. 

  624. 		// of the network's acls.
    625. 

  625. 		for _, networkID := range networksRemoved {
    626. 

  626. 			acls, err := logic.ListAclsByNetwork(networkID)
    627. 

  627. 			if err != nil {
    628. 

  628. 				continue
    629. 

  629. 			}
    630. 

  630. 

  631. 			for _, acl := range acls {
    632. 

  632. 				var hasGroupSrc bool
    633. 

  633. 				newAclSrc := make([]models.AclPolicyTag, 0)
    634. 

  634. 				for _, src := range acl.Src {
    635. 

  635. 					if src.ID == models.UserGroupAclID && src.Value == userGroup.ID.String() {
    636. 

  636. 						hasGroupSrc = true
    637. 

  637. 					} else {
    638. 

  638. 						newAclSrc = append(newAclSrc, src)
    639. 

  639. 					}
    640. 

  640. 				}
    641. 

  641. 

  642. 				if hasGroupSrc {
    643. 

  643. 					if len(newAclSrc) == 0 {
    644. 

  644. 						// no other src exists, delete acl.
    645. 

  645. 						_ = logic.DeleteAcl(acl)
    646. 

  646. 					} else {
    647. 

  647. 						// other sources exist, update acl.
    648. 

  648. 						acl.Src = newAclSrc
    649. 

  649. 						_ = logic.UpsertAcl(acl)
    650. 

  650. 					}
    651. 

  651. 					replacePeers = true
    652. 

  652. 				}
    653. 

  653. 			}
    654. 

  654. 		}
    655. 

  655. 	}()
    656. 

  656. 

  657. 	// reset configs for service user
    658. 

  658. 	go proLogic.UpdatesUserGwAccessOnGrpUpdates(userGroup.ID, currUserG.NetworkRoles, userGroup.NetworkRoles)
    659. 

  659. 	go mq.PublishPeerUpdate(replacePeers)
    660. 

  660. 	logic.ReturnSuccessResponseWithJson(w, r, userGroup, "updated user group")
    661. 

  661. }
    662. 

  662. 

  663. // swagger:route PUT /api/v1/users/add_network_user user addUsertoNetwork
    664. 

  664. //
    665. 

  665. // add user to network.
    666. 

  666. //
    667. 

  667. //			Schemes: https
    668. 

  668. //
    669. 

  669. //			Security:
    670. 

  670. //	  		oauth
    671. 

  671. //
    672. 

  672. //			Responses:
    673. 

  673. //				200: userBodyResponse
    674. 

  674. func addUsertoNetwork(w http.ResponseWriter, r *http.Request) {
    675. 

  675. 	username := r.URL.Query().Get("username")
    676. 

  676. 	if username == "" {
    677. 

  677. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("username is required"), logic.BadReq))
    678. 

  678. 		return
    679. 

  679. 	}
    680. 

  680. 	netID := r.URL.Query().Get("network_id")
    681. 

  681. 	if netID == "" {
    682. 

  682. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("network is required"), logic.BadReq))
    683. 

  683. 		return
    684. 

  684. 	}
    685. 

  685. 	user, err := logic.GetUser(username)
    686. 

  686. 	if err != nil {
    687. 

  687. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, logic.BadReq))
    688. 

  688. 		return
    689. 

  689. 	}
    690. 

  690. 	if user.PlatformRoleID != models.ServiceUser {
    691. 

  691. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("can only add service users"), logic.BadReq))
    692. 

  692. 		return
    693. 

  693. 	}
    694. 

  694. 	oldUser := *user
    695. 

  695. 	user.UserGroups[proLogic.GetDefaultNetworkUserGroupID(models.NetworkID(netID))] = struct{}{}
    696. 

  696. 	logic.UpsertUser(*user)
    697. 

  697. 	logic.LogEvent(&models.Event{
    698. 

  698. 		Action: models.Update,
    699. 

  699. 		Source: models.Subject{
    700. 

  700. 			ID:   r.Header.Get("user"),
    701. 

  701. 			Name: r.Header.Get("user"),
    702. 

  702. 			Type: models.UserSub,
    703. 

  703. 		},
    704. 

  704. 		TriggeredBy: r.Header.Get("user"),
    705. 

  705. 		Target: models.Subject{
    706. 

  706. 			ID:   user.UserName,
    707. 

  707. 			Name: user.UserName,
    708. 

  708. 			Type: models.UserSub,
    709. 

  709. 		},
    710. 

  710. 		Diff: models.Diff{
    711. 

  711. 			Old: oldUser,
    712. 

  712. 			New: user,
    713. 

  713. 		},
    714. 

  714. 		Origin: models.Dashboard,
    715. 

  715. 	})
    716. 

  716. 

  717. 	logic.ReturnSuccessResponseWithJson(w, r, user, "updated user group")
    718. 

  718. }
    719. 

  719. 

  720. // swagger:route PUT /api/v1/users/remove_network_user user removeUserfromNetwork
    721. 

  721. //
    722. 

  722. // add user to network.
    723. 

  723. //
    724. 

  724. //			Schemes: https
    725. 

  725. //
    726. 

  726. //			Security:
    727. 

  727. //	  		oauth
    728. 

  728. //
    729. 

  729. //			Responses:
    730. 

  730. //				200: userBodyResponse
    731. 

  731. func removeUserfromNetwork(w http.ResponseWriter, r *http.Request) {
    732. 

  732. 	username := r.URL.Query().Get("username")
    733. 

  733. 	if username == "" {
    734. 

  734. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("username is required"), logic.BadReq))
    735. 

  735. 		return
    736. 

  736. 	}
    737. 

  737. 	netID := r.URL.Query().Get("network_id")
    738. 

  738. 	if netID == "" {
    739. 

  739. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("network is required"), logic.BadReq))
    740. 

  740. 		return
    741. 

  741. 	}
    742. 

  742. 	user, err := logic.GetUser(username)
    743. 

  743. 	if err != nil {
    744. 

  744. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, logic.BadReq))
    745. 

  745. 		return
    746. 

  746. 	}
    747. 

  747. 	if user.PlatformRoleID != models.ServiceUser {
    748. 

  748. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("can only add service users"), logic.BadReq))
    749. 

  749. 		return
    750. 

  750. 	}
    751. 

  751. 	oldUser := *user
    752. 

  752. 	delete(user.UserGroups, proLogic.GetDefaultNetworkUserGroupID(models.NetworkID(netID)))
    753. 

  753. 	logic.UpsertUser(*user)
    754. 

  754. 	logic.LogEvent(&models.Event{
    755. 

  755. 		Action: models.Update,
    756. 

  756. 		Source: models.Subject{
    757. 

  757. 			ID:   r.Header.Get("user"),
    758. 

  758. 			Name: r.Header.Get("user"),
    759. 

  759. 			Type: models.UserSub,
    760. 

  760. 		},
    761. 

  761. 		TriggeredBy: r.Header.Get("user"),
    762. 

  762. 		Target: models.Subject{
    763. 

  763. 			ID:   user.UserName,
    764. 

  764. 			Name: user.UserName,
    765. 

  765. 			Type: models.UserSub,
    766. 

  766. 		},
    767. 

  767. 		Diff: models.Diff{
    768. 

  768. 			Old: oldUser,
    769. 

  769. 			New: user,
    770. 

  770. 		},
    771. 

  771. 		Origin: models.Dashboard,
    772. 

  772. 	})
    773. 

  773. 

  774. 	logic.ReturnSuccessResponseWithJson(w, r, user, "updated user group")
    775. 

  775. }
    776. 

  776. 

  777. // swagger:route DELETE /api/v1/user/group user deleteUserGroup
    778. 

  778. //
    779. 

  779. // delete user group.
    780. 

  780. //
    781. 

  781. //			Schemes: https
    782. 

  782. //
    783. 

  783. //			Security:
    784. 

  784. //	  		oauth
    785. 

  785. //
    786. 

  786. //			Responses:
    787. 

  787. //				200: userBodyResponse
    788. 

  788. //
    789. 

  789. // @Summary     Delete user group.
    790. 

  790. // @Router      /api/v1/user/group [delete]
    791. 

  791. // @Tags        Users
    792. 

  792. // @Param       group_id query string true "group id required to delete the role"
    793. 

  793. // @Success     200 {string} string
    794. 

  794. // @Failure     500 {object} models.ErrorResponse
    795. 

  795. func deleteUserGroup(w http.ResponseWriter, r *http.Request) {
    796. 

  796. 

  797. 	gid := r.URL.Query().Get("group_id")
    798. 

  798. 	if gid == "" {
    799. 

  799. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("group id is required"), "badrequest"))
    800. 

  800. 		return
    801. 

  801. 	}
    802. 

  802. 	userG, err := proLogic.GetUserGroup(models.UserGroupID(gid))
    803. 

  803. 	if err != nil {
    804. 

  804. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("failed to fetch group details"), "badrequest"))
    805. 

  805. 		return
    806. 

  806. 	}
    807. 

  807. 	if userG.Default {
    808. 

  808. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot delete default user group"), "badrequest"))
    809. 

  809. 		return
    810. 

  810. 	}
    811. 

  811. 	err = proLogic.DeleteUserGroup(models.UserGroupID(gid))
    812. 

  812. 	if err != nil {
    813. 

  813. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    814. 

  814. 		return
    815. 

  815. 	}
    816. 

  816. 	logic.LogEvent(&models.Event{
    817. 

  817. 		Action: models.Delete,
    818. 

  818. 		Source: models.Subject{
    819. 

  819. 			ID:   r.Header.Get("user"),
    820. 

  820. 			Name: r.Header.Get("user"),
    821. 

  821. 			Type: models.UserSub,
    822. 

  822. 		},
    823. 

  823. 		TriggeredBy: r.Header.Get("user"),
    824. 

  824. 		Target: models.Subject{
    825. 

  825. 			ID:   userG.ID.String(),
    826. 

  826. 			Name: userG.Name,
    827. 

  827. 			Type: models.UserGroupSub,
    828. 

  828. 		},
    829. 

  829. 		Origin: models.Dashboard,
    830. 

  830. 	})
    831. 

  831. 	replacePeers := false
    832. 

  832. 	go func() {
    833. 

  833. 		for networkID := range userG.NetworkRoles {
    834. 

  834. 			acls, err := logic.ListAclsByNetwork(networkID)
    835. 

  835. 			if err != nil {
    836. 

  836. 				continue
    837. 

  837. 			}
    838. 

  838. 

  839. 			for _, acl := range acls {
    840. 

  840. 				var hasGroupSrc bool
    841. 

  841. 				newAclSrc := make([]models.AclPolicyTag, 0)
    842. 

  842. 				for _, src := range acl.Src {
    843. 

  843. 					if src.ID == models.UserGroupAclID && src.Value == userG.ID.String() {
    844. 

  844. 						hasGroupSrc = true
    845. 

  845. 					} else {
    846. 

  846. 						newAclSrc = append(newAclSrc, src)
    847. 

  847. 					}
    848. 

  848. 				}
    849. 

  849. 

  850. 				if hasGroupSrc {
    851. 

  851. 					if len(newAclSrc) == 0 {
    852. 

  852. 						// no other src exists, delete acl.
    853. 

  853. 						_ = logic.DeleteAcl(acl)
    854. 

  854. 					} else {
    855. 

  855. 						// other sources exist, update acl.
    856. 

  856. 						acl.Src = newAclSrc
    857. 

  857. 						_ = logic.UpsertAcl(acl)
    858. 

  858. 					}
    859. 

  859. 					replacePeers = true
    860. 

  860. 				}
    861. 

  861. 			}
    862. 

  862. 		}
    863. 

  863. 	}()
    864. 

  864. 

  865. 	go proLogic.UpdatesUserGwAccessOnGrpUpdates(userG.ID, userG.NetworkRoles, make(map[models.NetworkID]map[models.UserRoleID]struct{}))
    866. 

  866. 	go mq.PublishPeerUpdate(replacePeers)
    867. 

  867. 	logic.ReturnSuccessResponseWithJson(w, r, nil, "deleted user group")
    868. 

  868. }
    869. 

  869. 

  870. // @Summary     lists all user roles.
    871. 

  871. // @Router      /api/v1/user/roles [get]
    872. 

  872. // @Tags        Users
    873. 

  873. // @Param       role_id query string true "roleid required to get the role details"
    874. 

  874. // @Success     200 {object}  []models.UserRolePermissionTemplate
    875. 

  875. // @Failure     500 {object} models.ErrorResponse
    876. 

  876. func ListRoles(w http.ResponseWriter, r *http.Request) {
    877. 

  877. 	platform := r.URL.Query().Get("platform")
    878. 

  878. 	var roles []models.UserRolePermissionTemplate
    879. 

  879. 	var err error
    880. 

  880. 	if platform == "true" {
    881. 

  881. 		roles, err = logic.ListPlatformRoles()
    882. 

  882. 	} else {
    883. 

  883. 		roles, err = proLogic.ListNetworkRoles()
    884. 

  884. 	}
    885. 

  885. 	if err != nil {
    886. 

  886. 		logic.ReturnErrorResponse(w, r, models.ErrorResponse{
    887. 

  887. 			Code:    http.StatusInternalServerError,
    888. 

  888. 			Message: err.Error(),
    889. 

  889. 		})
    890. 

  890. 		return
    891. 

  891. 	}
    892. 

  892. 

  893. 	logic.ReturnSuccessResponseWithJson(w, r, roles, "successfully fetched user roles permission templates")
    894. 

  894. }
    895. 

  895. 

  896. // @Summary     Get user role permission template.
    897. 

  897. // @Router      /api/v1/user/role [get]
    898. 

  898. // @Tags        Users
    899. 

  899. // @Param       role_id query string true "roleid required to get the role details"
    900. 

  900. // @Success     200 {object} models.UserRolePermissionTemplate
    901. 

  901. // @Failure     500 {object} models.ErrorResponse
    902. 

  902. func getRole(w http.ResponseWriter, r *http.Request) {
    903. 

  903. 	rid := r.URL.Query().Get("role_id")
    904. 

  904. 	if rid == "" {
    905. 

  905. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("role is required"), "badrequest"))
    906. 

  906. 		return
    907. 

  907. 	}
    908. 

  908. 	role, err := logic.GetRole(models.UserRoleID(rid))
    909. 

  909. 	if err != nil {
    910. 

  910. 		logic.ReturnErrorResponse(w, r, models.ErrorResponse{
    911. 

  911. 			Code:    http.StatusInternalServerError,
    912. 

  912. 			Message: err.Error(),
    913. 

  913. 		})
    914. 

  914. 		return
    915. 

  915. 	}
    916. 

  916. 	logic.ReturnSuccessResponseWithJson(w, r, role, "successfully fetched user role permission templates")
    917. 

  917. }
    918. 

  918. 

  919. // @Summary     Create user role permission template.
    920. 

  920. // @Router      /api/v1/user/role [post]
    921. 

  921. // @Tags        Users
    922. 

  922. // @Param       body body models.UserRolePermissionTemplate true "user role template"
    923. 

  923. // @Success     200 {object}  models.UserRolePermissionTemplate
    924. 

  924. // @Failure     500 {object} models.ErrorResponse
    925. 

  925. func createRole(w http.ResponseWriter, r *http.Request) {
    926. 

  926. 	var userRole models.UserRolePermissionTemplate
    927. 

  927. 	err := json.NewDecoder(r.Body).Decode(&userRole)
    928. 

  928. 	if err != nil {
    929. 

  929. 		slog.Error("error decoding request body", "error",
    930. 

  930. 			err.Error())
    931. 

  931. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    932. 

  932. 		return
    933. 

  933. 	}
    934. 

  934. 	err = proLogic.ValidateCreateRoleReq(&userRole)
    935. 

  935. 	if err != nil {
    936. 

  936. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    937. 

  937. 		return
    938. 

  938. 	}
    939. 

  939. 	userRole.Default = false
    940. 

  940. 	userRole.GlobalLevelAccess = make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope)
    941. 

  941. 	err = proLogic.CreateRole(userRole)
    942. 

  942. 	if err != nil {
    943. 

  943. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    944. 

  944. 		return
    945. 

  945. 	}
    946. 

  946. 	logic.LogEvent(&models.Event{
    947. 

  947. 		Action: models.Create,
    948. 

  948. 		Source: models.Subject{
    949. 

  949. 			ID:   r.Header.Get("user"),
    950. 

  950. 			Name: r.Header.Get("user"),
    951. 

  951. 			Type: models.UserSub,
    952. 

  952. 		},
    953. 

  953. 		TriggeredBy: r.Header.Get("user"),
    954. 

  954. 		Target: models.Subject{
    955. 

  955. 			ID:   userRole.ID.String(),
    956. 

  956. 			Name: userRole.Name,
    957. 

  957. 			Type: models.UserRoleSub,
    958. 

  958. 		},
    959. 

  959. 		Origin: models.ClientApp,
    960. 

  960. 	})
    961. 

  961. 	logic.ReturnSuccessResponseWithJson(w, r, userRole, "created user role")
    962. 

  962. }
    963. 

  963. 

  964. // @Summary     Update user role permission template.
    965. 

  965. // @Router      /api/v1/user/role [put]
    966. 

  966. // @Tags        Users
    967. 

  967. // @Param       body body models.UserRolePermissionTemplate true "user role template"
    968. 

  968. // @Success     200 {object} models.UserRolePermissionTemplate
    969. 

  969. // @Failure     500 {object} models.ErrorResponse
    970. 

  970. func updateRole(w http.ResponseWriter, r *http.Request) {
    971. 

  971. 	var userRole models.UserRolePermissionTemplate
    972. 

  972. 	err := json.NewDecoder(r.Body).Decode(&userRole)
    973. 

  973. 	if err != nil {
    974. 

  974. 		slog.Error("error decoding request body", "error",
    975. 

  975. 			err.Error())
    976. 

  976. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    977. 

  977. 		return
    978. 

  978. 	}
    979. 

  979. 	currRole, err := logic.GetRole(userRole.ID)
    980. 

  980. 	if err != nil {
    981. 

  981. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    982. 

  982. 		return
    983. 

  983. 	}
    984. 

  984. 	err = proLogic.ValidateUpdateRoleReq(&userRole)
    985. 

  985. 	if err != nil {
    986. 

  986. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    987. 

  987. 		return
    988. 

  988. 	}
    989. 

  989. 	userRole.GlobalLevelAccess = make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope)
    990. 

  990. 	err = proLogic.UpdateRole(userRole)
    991. 

  991. 	if err != nil {
    992. 

  992. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    993. 

  993. 		return
    994. 

  994. 	}
    995. 

  995. 	logic.LogEvent(&models.Event{
    996. 

  996. 		Action: models.Update,
    997. 

  997. 		Source: models.Subject{
    998. 

  998. 			ID:   r.Header.Get("user"),
    999. 

  999. 			Name: r.Header.Get("user"),
    1000. 

  1000. 			Type: models.UserSub,
    1001. 

  1001. 		},
    1002. 

  1002. 		TriggeredBy: r.Header.Get("user"),
    1003. 

  1003. 		Target: models.Subject{
    1004. 

  1004. 			ID:   userRole.ID.String(),
    1005. 

  1005. 			Name: userRole.Name,
    1006. 

  1006. 			Type: models.UserRoleSub,
    1007. 

  1007. 		},
    1008. 

  1008. 		Diff: models.Diff{
    1009. 

  1009. 			Old: currRole,
    1010. 

  1010. 			New: userRole,
    1011. 

  1011. 		},
    1012. 

  1012. 		Origin: models.Dashboard,
    1013. 

  1013. 	})
    1014. 

  1014. 	// reset configs for service user
    1015. 

  1015. 	go proLogic.UpdatesUserGwAccessOnRoleUpdates(currRole.NetworkLevelAccess, userRole.NetworkLevelAccess, string(userRole.NetworkID))
    1016. 

  1016. 	logic.ReturnSuccessResponseWithJson(w, r, userRole, "updated user role")
    1017. 

  1017. }
    1018. 

  1018. 

  1019. // @Summary     Delete user role permission template.
    1020. 

  1020. // @Router      /api/v1/user/role [delete]
    1021. 

  1021. // @Tags        Users
    1022. 

  1022. // @Param       role_id query string true "roleid required to delete the role"
    1023. 

  1023. // @Success     200 {string} string
    1024. 

  1024. // @Failure     500 {object} models.ErrorResponse
    1025. 

  1025. func deleteRole(w http.ResponseWriter, r *http.Request) {
    1026. 

  1026. 

  1027. 	rid := r.URL.Query().Get("role_id")
    1028. 

  1028. 	if rid == "" {
    1029. 

  1029. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("role is required"), "badrequest"))
    1030. 

  1030. 		return
    1031. 

  1031. 	}
    1032. 

  1032. 	role, err := logic.GetRole(models.UserRoleID(rid))
    1033. 

  1033. 	if err != nil {
    1034. 

  1034. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("role is required"), "badrequest"))
    1035. 

  1035. 		return
    1036. 

  1036. 	}
    1037. 

  1037. 	err = proLogic.DeleteRole(models.UserRoleID(rid), false)
    1038. 

  1038. 	if err != nil {
    1039. 

  1039. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1040. 

  1040. 		return
    1041. 

  1041. 	}
    1042. 

  1042. 	logic.LogEvent(&models.Event{
    1043. 

  1043. 		Action: models.Delete,
    1044. 

  1044. 		Source: models.Subject{
    1045. 

  1045. 			ID:   r.Header.Get("user"),
    1046. 

  1046. 			Name: r.Header.Get("user"),
    1047. 

  1047. 			Type: models.UserSub,
    1048. 

  1048. 		},
    1049. 

  1049. 		TriggeredBy: r.Header.Get("user"),
    1050. 

  1050. 		Target: models.Subject{
    1051. 

  1051. 			ID:   role.ID.String(),
    1052. 

  1052. 			Name: role.Name,
    1053. 

  1053. 			Type: models.UserRoleSub,
    1054. 

  1054. 		},
    1055. 

  1055. 		Origin: models.Dashboard,
    1056. 

  1056. 	})
    1057. 

  1057. 	go proLogic.UpdatesUserGwAccessOnRoleUpdates(role.NetworkLevelAccess, make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope), role.NetworkID.String())
    1058. 

  1058. 	logic.ReturnSuccessResponseWithJson(w, r, nil, "deleted user role")
    1059. 

  1059. }
    1060. 

  1060. 

  1061. // @Summary     Attach user to a remote access gateway
    1062. 

  1062. // @Router      /api/users/{username}/remote_access_gw/{remote_access_gateway_id} [post]
    1063. 

  1063. // @Tags        PRO
    1064. 

  1064. // @Accept      json
    1065. 

  1065. // @Produce     json
    1066. 

  1066. // @Param       username path string true "Username"
    1067. 

  1067. // @Param       remote_access_gateway_id path string true "Remote Access Gateway ID"
    1068. 

  1068. // @Success     200 {object} models.ReturnUser
    1069. 

  1069. // @Failure     400 {object} models.ErrorResponse
    1070. 

  1070. // @Failure     500 {object} models.ErrorResponse
    1071. 

  1071. func attachUserToRemoteAccessGw(w http.ResponseWriter, r *http.Request) {
    1072. 

  1072. 	// set header.
    1073. 

  1073. 	w.Header().Set("Content-Type", "application/json")
    1074. 

  1074. 

  1075. 	var params = mux.Vars(r)
    1076. 

  1076. 	username := params["username"]
    1077. 

  1077. 	remoteGwID := params["remote_access_gateway_id"]
    1078. 

  1078. 	if username == "" || remoteGwID == "" {
    1079. 

  1079. 		logic.ReturnErrorResponse(
    1080. 

  1080. 			w,
    1081. 

  1081. 			r,
    1082. 

  1082. 			logic.FormatError(
    1083. 

  1083. 				errors.New("required params `username` and `remote_access_gateway_id`"),
    1084. 

  1084. 				"badrequest",
    1085. 

  1085. 			),
    1086. 

  1086. 		)
    1087. 

  1087. 		return
    1088. 

  1088. 	}
    1089. 

  1089. 	user, err := logic.GetUser(username)
    1090. 

  1090. 	if err != nil {
    1091. 

  1091. 		slog.Error("failed to fetch user: ", "username", username, "error", err.Error())
    1092. 

  1092. 		logic.ReturnErrorResponse(
    1093. 

  1093. 			w,
    1094. 

  1094. 			r,
    1095. 

  1095. 			logic.FormatError(
    1096. 

  1096. 				fmt.Errorf("failed to fetch user %s, error: %v", username, err),
    1097. 

  1097. 				"badrequest",
    1098. 

  1098. 			),
    1099. 

  1099. 		)
    1100. 

  1100. 		return
    1101. 

  1101. 	}
    1102. 

  1102. 	if user.PlatformRoleID == models.AdminRole || user.PlatformRoleID == models.SuperAdminRole {
    1103. 

  1103. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("superadmins/admins have access to all gateways"), "badrequest"))
    1104. 

  1104. 		return
    1105. 

  1105. 	}
    1106. 

  1106. 	node, err := logic.GetNodeByID(remoteGwID)
    1107. 

  1107. 	if err != nil {
    1108. 

  1108. 		slog.Error("failed to fetch gateway node", "nodeID", remoteGwID, "error", err)
    1109. 

  1109. 		logic.ReturnErrorResponse(
    1110. 

  1110. 			w,
    1111. 

  1111. 			r,
    1112. 

  1112. 			logic.FormatError(
    1113. 

  1113. 				fmt.Errorf("failed to fetch remote access gateway node, error: %v", err),
    1114. 

  1114. 				"badrequest",
    1115. 

  1115. 			),
    1116. 

  1116. 		)
    1117. 

  1117. 		return
    1118. 

  1118. 	}
    1119. 

  1119. 	if !node.IsIngressGateway {
    1120. 

  1120. 		logic.ReturnErrorResponse(
    1121. 

  1121. 			w,
    1122. 

  1122. 			r,
    1123. 

  1123. 			logic.FormatError(fmt.Errorf("node is not a remote access gateway"), "badrequest"),
    1124. 

  1124. 		)
    1125. 

  1125. 		return
    1126. 

  1126. 	}
    1127. 

  1127. 	if user.RemoteGwIDs == nil {
    1128. 

  1128. 		user.RemoteGwIDs = make(map[string]struct{})
    1129. 

  1129. 	}
    1130. 

  1130. 	user.RemoteGwIDs[node.ID.String()] = struct{}{}
    1131. 

  1131. 	err = logic.UpsertUser(*user)
    1132. 

  1132. 	if err != nil {
    1133. 

  1133. 		slog.Error("failed to update user's gateways", "user", username, "error", err)
    1134. 

  1134. 		logic.ReturnErrorResponse(
    1135. 

  1135. 			w,
    1136. 

  1136. 			r,
    1137. 

  1137. 			logic.FormatError(
    1138. 

  1138. 				fmt.Errorf("failed to fetch remote access gateway node,error: %v", err),
    1139. 

  1139. 				"badrequest",
    1140. 

  1140. 			),
    1141. 

  1141. 		)
    1142. 

  1142. 		return
    1143. 

  1143. 	}
    1144. 

  1144. 

  1145. 	json.NewEncoder(w).Encode(logic.ToReturnUser(*user))
    1146. 

  1146. }
    1147. 

  1147. 

  1148. // @Summary     Remove user from a remote access gateway
    1149. 

  1149. // @Router      /api/users/{username}/remote_access_gw/{remote_access_gateway_id} [delete]
    1150. 

  1150. // @Tags        PRO
    1151. 

  1151. // @Accept      json
    1152. 

  1152. // @Produce     json
    1153. 

  1153. // @Param       username path string true "Username"
    1154. 

  1154. // @Param       remote_access_gateway_id path string true "Remote Access Gateway ID"
    1155. 

  1155. // @Success     200 {object} models.ReturnUser
    1156. 

  1156. // @Failure     400 {object} models.ErrorResponse
    1157. 

  1157. // @Failure     500 {object} models.ErrorResponse
    1158. 

  1158. func removeUserFromRemoteAccessGW(w http.ResponseWriter, r *http.Request) {
    1159. 

  1159. 	// set header.
    1160. 

  1160. 	w.Header().Set("Content-Type", "application/json")
    1161. 

  1161. 

  1162. 	var params = mux.Vars(r)
    1163. 

  1163. 	username := params["username"]
    1164. 

  1164. 	remoteGwID := params["remote_access_gateway_id"]
    1165. 

  1165. 	if username == "" || remoteGwID == "" {
    1166. 

  1166. 		logic.ReturnErrorResponse(
    1167. 

  1167. 			w,
    1168. 

  1168. 			r,
    1169. 

  1169. 			logic.FormatError(
    1170. 

  1170. 				errors.New("required params `username` and `remote_access_gateway_id`"),
    1171. 

  1171. 				"badrequest",
    1172. 

  1172. 			),
    1173. 

  1173. 		)
    1174. 

  1174. 		return
    1175. 

  1175. 	}
    1176. 

  1176. 	user, err := logic.GetUser(username)
    1177. 

  1177. 	if err != nil {
    1178. 

  1178. 		logger.Log(0, username, "failed to fetch user: ", err.Error())
    1179. 

  1179. 		logic.ReturnErrorResponse(
    1180. 

  1180. 			w,
    1181. 

  1181. 			r,
    1182. 

  1182. 			logic.FormatError(
    1183. 

  1183. 				fmt.Errorf("failed to fetch user %s, error: %v", username, err),
    1184. 

  1184. 				"badrequest",
    1185. 

  1185. 			),
    1186. 

  1186. 		)
    1187. 

  1187. 		return
    1188. 

  1188. 	}
    1189. 

  1189. 	delete(user.RemoteGwIDs, remoteGwID)
    1190. 

  1190. 	go func(user models.User, remoteGwID string) {
    1191. 

  1191. 		extclients, err := logic.GetAllExtClients()
    1192. 

  1192. 		if err != nil {
    1193. 

  1193. 			slog.Error("failed to fetch extclients", "error", err)
    1194. 

  1194. 			return
    1195. 

  1195. 		}
    1196. 

  1196. 		for _, extclient := range extclients {
    1197. 

  1197. 			if extclient.OwnerID == user.UserName && remoteGwID == extclient.IngressGatewayID {
    1198. 

  1198. 				err = logic.DeleteExtClientAndCleanup(extclient)
    1199. 

  1199. 				if err != nil {
    1200. 

  1200. 					slog.Error("failed to delete extclient",
    1201. 

  1201. 						"id", extclient.ClientID, "owner", user.UserName, "error", err)
    1202. 

  1202. 				} else {
    1203. 

  1203. 					if err := mq.PublishDeletedClientPeerUpdate(&extclient); err != nil {
    1204. 

  1204. 						slog.Error("error setting ext peers: " + err.Error())
    1205. 

  1205. 					}
    1206. 

  1206. 				}
    1207. 

  1207. 			}
    1208. 

  1208. 		}
    1209. 

  1209. 		if servercfg.IsDNSMode() {
    1210. 

  1210. 			logic.SetDNS()
    1211. 

  1211. 		}
    1212. 

  1212. 	}(*user, remoteGwID)
    1213. 

  1213. 

  1214. 	err = logic.UpsertUser(*user)
    1215. 

  1215. 	if err != nil {
    1216. 

  1216. 		slog.Error("failed to update user gateways", "user", username, "error", err)
    1217. 

  1217. 		logic.ReturnErrorResponse(
    1218. 

  1218. 			w,
    1219. 

  1219. 			r,
    1220. 

  1220. 			logic.FormatError(
    1221. 

  1221. 				errors.New("failed to fetch remote access gaetway node "+err.Error()),
    1222. 

  1222. 				"badrequest",
    1223. 

  1223. 			),
    1224. 

  1224. 		)
    1225. 

  1225. 		return
    1226. 

  1226. 	}
    1227. 

  1227. 	json.NewEncoder(w).Encode(logic.ToReturnUser(*user))
    1228. 

  1228. }
    1229. 

  1229. 

  1230. // @Summary     Get Users Remote Access Gw Networks.
    1231. 

  1231. // @Router      /api/users/{username}/remote_access_gw [get]
    1232. 

  1232. // @Tags        Users
    1233. 

  1233. // @Param       username path string true "Username to fetch all the gateways with access"
    1234. 

  1234. // @Success     200 {object} map[string][]models.UserRemoteGws
    1235. 

  1235. // @Failure     500 {object} models.ErrorResponse
    1236. 

  1236. func getUserRemoteAccessNetworks(w http.ResponseWriter, r *http.Request) {
    1237. 

  1237. 	// set header.
    1238. 

  1238. 	w.Header().Set("Content-Type", "application/json")
    1239. 

  1239. 	username := r.Header.Get("user")
    1240. 

  1240. 	user, err := logic.GetUser(username)
    1241. 

  1241. 	if err != nil {
    1242. 

  1242. 		logger.Log(0, username, "failed to fetch user: ", err.Error())
    1243. 

  1243. 		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch user %s, error: %v", username, err), "badrequest"))
    1244. 

  1244. 		return
    1245. 

  1245. 	}
    1246. 

  1246. 	userGws := make(map[string][]models.UserRemoteGws)
    1247. 

  1247. 	networks := []models.Network{}
    1248. 

  1248. 	networkMap := make(map[string]struct{})
    1249. 

  1249. 	userGwNodes := proLogic.GetUserRAGNodes(*user)
    1250. 

  1250. 	for _, node := range userGwNodes {
    1251. 

  1251. 		network, err := logic.GetNetwork(node.Network)
    1252. 

  1252. 		if err != nil {
    1253. 

  1253. 			slog.Error("failed to get node network", "error", err)
    1254. 

  1254. 			continue
    1255. 

  1255. 		}
    1256. 

  1256. 		if _, ok := networkMap[network.NetID]; ok {
    1257. 

  1257. 			continue
    1258. 

  1258. 		}
    1259. 

  1259. 		networkMap[network.NetID] = struct{}{}
    1260. 

  1260. 		networks = append(networks, network)
    1261. 

  1261. 	}
    1262. 

  1262. 

  1263. 	slog.Debug("returned user gws", "user", username, "gws", userGws)
    1264. 

  1264. 	logic.ReturnSuccessResponseWithJson(w, r, networks, "fetched user accessible networks")
    1265. 

  1265. }
    1266. 

  1266. 

  1267. // @Summary     Get Users Remote Access Gw Networks.
    1268. 

  1268. // @Router      /api/users/{username}/remote_access_gw [get]
    1269. 

  1269. // @Tags        Users
    1270. 

  1270. // @Param       username path string true "Username to fetch all the gateways with access"
    1271. 

  1271. // @Success     200 {object} map[string][]models.UserRemoteGws
    1272. 

  1272. // @Failure     500 {object} models.ErrorResponse
    1273. 

  1273. func getUserRemoteAccessNetworkGateways(w http.ResponseWriter, r *http.Request) {
    1274. 

  1274. 	// set header.
    1275. 

  1275. 	w.Header().Set("Content-Type", "application/json")
    1276. 

  1276. 	var params = mux.Vars(r)
    1277. 

  1277. 	username := r.Header.Get("user")
    1278. 

  1278. 	user, err := logic.GetUser(username)
    1279. 

  1279. 	if err != nil {
    1280. 

  1280. 		logger.Log(0, username, "failed to fetch user: ", err.Error())
    1281. 

  1281. 		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch user %s, error: %v", username, err), "badrequest"))
    1282. 

  1282. 		return
    1283. 

  1283. 	}
    1284. 

  1284. 	network := params["network"]
    1285. 

  1285. 	if network == "" {
    1286. 

  1286. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("required params network"), "badrequest"))
    1287. 

  1287. 		return
    1288. 

  1288. 	}
    1289. 

  1289. 	userGws := []models.UserRAGs{}
    1290. 

  1290. 

  1291. 	userGwNodes := proLogic.GetUserRAGNodes(*user)
    1292. 

  1292. 	for _, node := range userGwNodes {
    1293. 

  1293. 		if node.Network != network {
    1294. 

  1294. 			continue
    1295. 

  1295. 		}
    1296. 

  1296. 

  1297. 		host, err := logic.GetHost(node.HostID.String())
    1298. 

  1298. 		if err != nil {
    1299. 

  1299. 			continue
    1300. 

  1300. 		}
    1301. 

  1301. 

  1302. 		userGws = append(userGws, models.UserRAGs{
    1303. 

  1303. 			GwID:              node.ID.String(),
    1304. 

  1304. 			GWName:            host.Name,
    1305. 

  1305. 			Network:           node.Network,
    1306. 

  1306. 			IsInternetGateway: node.IsInternetGateway,
    1307. 

  1307. 			Metadata:          node.Metadata,
    1308. 

  1308. 		})
    1309. 

  1309. 

  1310. 	}
    1311. 

  1311. 

  1312. 	slog.Debug("returned user gws", "user", username, "gws", userGws)
    1313. 

  1313. 	logic.ReturnSuccessResponseWithJson(w, r, userGws, "fetched user accessible gateways in network "+network)
    1314. 

  1314. }
    1315. 

  1315. 

  1316. // @Summary     Get Users Remote Access Gw Networks.
    1317. 

  1317. // @Router      /api/users/{username}/remote_access_gw [get]
    1318. 

  1318. // @Tags        Users
    1319. 

  1319. // @Param       username path string true "Username to fetch all the gateways with access"
    1320. 

  1320. // @Success     200 {object} map[string][]models.UserRemoteGws
    1321. 

  1321. // @Failure     500 {object} models.ErrorResponse
    1322. 

  1322. func getRemoteAccessGatewayConf(w http.ResponseWriter, r *http.Request) {
    1323. 

  1323. 	// set header.
    1324. 

  1324. 	w.Header().Set("Content-Type", "application/json")
    1325. 

  1325. 	var params = mux.Vars(r)
    1326. 

  1326. 	username := r.Header.Get("user")
    1327. 

  1327. 	user, err := logic.GetUser(username)
    1328. 

  1328. 	if err != nil {
    1329. 

  1329. 		logger.Log(0, username, "failed to fetch user: ", err.Error())
    1330. 

  1330. 		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch user %s, error: %v", username, err), "badrequest"))
    1331. 

  1331. 		return
    1332. 

  1332. 	}
    1333. 

  1333. 	remoteGwID := params["access_point_id"]
    1334. 

  1334. 	if remoteGwID == "" {
    1335. 

  1335. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("required params access_point_id"), "badrequest"))
    1336. 

  1336. 		return
    1337. 

  1337. 	}
    1338. 

  1338. 	var req models.UserRemoteGwsReq
    1339. 

  1339. 	err = json.NewDecoder(r.Body).Decode(&req)
    1340. 

  1340. 	if err != nil {
    1341. 

  1341. 		slog.Error("error decoding request body: ", "error", err)
    1342. 

  1342. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1343. 

  1343. 		return
    1344. 

  1344. 	}
    1345. 

  1345. 

  1346. 	userGwNodes := proLogic.GetUserRAGNodes(*user)
    1347. 

  1347. 	if _, ok := userGwNodes[remoteGwID]; !ok {
    1348. 

  1348. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("access denied"), "forbidden"))
    1349. 

  1349. 		return
    1350. 

  1350. 	}
    1351. 

  1351. 	node, err := logic.GetNodeByID(remoteGwID)
    1352. 

  1352. 	if err != nil {
    1353. 

  1353. 		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch gw node %s, error: %v", remoteGwID, err), "badrequest"))
    1354. 

  1354. 		return
    1355. 

  1355. 	}
    1356. 

  1356. 	host, err := logic.GetHost(node.HostID.String())
    1357. 

  1357. 	if err != nil {
    1358. 

  1358. 		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch gw host %s, error: %v", remoteGwID, err), "badrequest"))
    1359. 

  1359. 		return
    1360. 

  1360. 	}
    1361. 

  1361. 	network, err := logic.GetNetwork(node.Network)
    1362. 

  1362. 	if err != nil {
    1363. 

  1363. 		slog.Error("failed to get node network", "error", err)
    1364. 

  1364. 	}
    1365. 

  1365. 	var userConf models.ExtClient
    1366. 

  1366. 	allextClients, err := logic.GetAllExtClients()
    1367. 

  1367. 	if err != nil {
    1368. 

  1368. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1369. 

  1369. 		return
    1370. 

  1370. 	}
    1371. 

  1371. 	for _, extClient := range allextClients {
    1372. 

  1372. 		if extClient.Network != network.NetID || extClient.IngressGatewayID != node.ID.String() {
    1373. 

  1373. 			continue
    1374. 

  1374. 		}
    1375. 

  1375. 		if extClient.RemoteAccessClientID == req.RemoteAccessClientID && extClient.OwnerID == username {
    1376. 

  1376. 			userConf = extClient
    1377. 

  1377. 			userConf.AllowedIPs = logic.GetExtclientAllowedIPs(extClient)
    1378. 

  1378. 		}
    1379. 

  1379. 	}
    1380. 

  1380. 	if userConf.ClientID == "" {
    1381. 

  1381. 		// create a new conf
    1382. 

  1382. 		userConf.OwnerID = user.UserName
    1383. 

  1383. 		userConf.RemoteAccessClientID = req.RemoteAccessClientID
    1384. 

  1384. 		userConf.IngressGatewayID = node.ID.String()
    1385. 

  1385. 		logic.SetDNSOnWgConfig(&node, &userConf)
    1386. 

  1386. 

  1387. 		userConf.Network = node.Network
    1388. 

  1388. 		host, err := logic.GetHost(node.HostID.String())
    1389. 

  1389. 		if err != nil {
    1390. 

  1390. 			logger.Log(0, r.Header.Get("user"),
    1391. 

  1391. 				fmt.Sprintf("failed to get ingress gateway host for node [%s] info: %v", node.ID, err))
    1392. 

  1392. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1393. 

  1393. 			return
    1394. 

  1394. 		}
    1395. 

  1395. 		listenPort := logic.GetPeerListenPort(host)
    1396. 

  1396. 		if host.EndpointIP.To4() == nil {
    1397. 

  1397. 			userConf.IngressGatewayEndpoint = fmt.Sprintf("[%s]:%d", host.EndpointIPv6.String(), listenPort)
    1398. 

  1398. 		} else {
    1399. 

  1399. 			userConf.IngressGatewayEndpoint = fmt.Sprintf("%s:%d", host.EndpointIP.String(), listenPort)
    1400. 

  1400. 		}
    1401. 

  1401. 		userConf.Enabled = true
    1402. 

  1402. 		parentNetwork, err := logic.GetNetwork(node.Network)
    1403. 

  1403. 		if err == nil { // check if parent network default ACL is enabled (yes) or not (no)
    1404. 

  1404. 			userConf.Enabled = parentNetwork.DefaultACL == "yes"
    1405. 

  1405. 		}
    1406. 

  1406. 		userConf.Tags = make(map[models.TagID]struct{})
    1407. 

  1407. 		// userConf.Tags[models.TagID(fmt.Sprintf("%s.%s", userConf.Network,
    1408. 

  1408. 		// 	models.RemoteAccessTagName))] = struct{}{}
    1409. 

  1409. 		if err = logic.CreateExtClient(&userConf); err != nil {
    1410. 

  1410. 			slog.Error(
    1411. 

  1411. 				"failed to create extclient",
    1412. 

  1412. 				"user",
    1413. 

  1413. 				r.Header.Get("user"),
    1414. 

  1414. 				"network",
    1415. 

  1415. 				node.Network,
    1416. 

  1416. 				"error",
    1417. 

  1417. 				err,
    1418. 

  1418. 			)
    1419. 

  1419. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1420. 

  1420. 			return
    1421. 

  1421. 		}
    1422. 

  1422. 	}
    1423. 

  1423. 	userGw := models.UserRemoteGws{
    1424. 

  1424. 		GwID:              node.ID.String(),
    1425. 

  1425. 		GWName:            host.Name,
    1426. 

  1426. 		Network:           node.Network,
    1427. 

  1427. 		GwClient:          userConf,
    1428. 

  1428. 		Connected:         true,
    1429. 

  1429. 		IsInternetGateway: node.IsInternetGateway,
    1430. 

  1430. 		GwPeerPublicKey:   host.PublicKey.String(),
    1431. 

  1431. 		GwListenPort:      logic.GetPeerListenPort(host),
    1432. 

  1432. 		Metadata:          node.Metadata,
    1433. 

  1433. 		AllowedEndpoints:  getAllowedRagEndpoints(&node, host),
    1434. 

  1434. 		NetworkAddresses:  []string{network.AddressRange, network.AddressRange6},
    1435. 

  1435. 		DnsAddress:        node.IngressDNS,
    1436. 

  1436. 		Addresses:         utils.NoEmptyStringToCsv(node.Address.String(), node.Address6.String()),
    1437. 

  1437. 	}
    1438. 

  1438. 

  1439. 	slog.Debug("returned user gw config", "user", user.UserName, "gws", userGw)
    1440. 

  1440. 	logic.ReturnSuccessResponseWithJson(w, r, userGw, "fetched user config to gw "+remoteGwID)
    1441. 

  1441. }
    1442. 

  1442. 

  1443. // @Summary     Get Users Remote Access Gw.
    1444. 

  1444. // @Router      /api/users/{username}/remote_access_gw [get]
    1445. 

  1445. // @Tags        Users
    1446. 

  1446. // @Param       username path string true "Username to fetch all the gateways with access"
    1447. 

  1447. // @Success     200 {object} map[string][]models.UserRemoteGws
    1448. 

  1448. // @Failure     500 {object} models.ErrorResponse
    1449. 

  1449. func getUserRemoteAccessGwsV1(w http.ResponseWriter, r *http.Request) {
    1450. 

  1450. 	// set header.
    1451. 

  1451. 	w.Header().Set("Content-Type", "application/json")
    1452. 

  1452. 	var params = mux.Vars(r)
    1453. 

  1453. 	username := params["username"]
    1454. 

  1454. 	if username == "" {
    1455. 

  1455. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("required params username"), "badrequest"))
    1456. 

  1456. 		return
    1457. 

  1457. 	}
    1458. 

  1458. 	user, err := logic.GetUser(username)
    1459. 

  1459. 	if err != nil {
    1460. 

  1460. 		logger.Log(0, username, "failed to fetch user: ", err.Error())
    1461. 

  1461. 		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch user %s, error: %v", username, err), "badrequest"))
    1462. 

  1462. 		return
    1463. 

  1463. 	}
    1464. 

  1464. 	deviceID := r.URL.Query().Get("device_id")
    1465. 

  1465. 	remoteAccessClientID := r.URL.Query().Get("remote_access_clientid")
    1466. 

  1466. 	var req models.UserRemoteGwsReq
    1467. 

  1467. 	if remoteAccessClientID == "" {
    1468. 

  1468. 		err := json.NewDecoder(r.Body).Decode(&req)
    1469. 

  1469. 		if err != nil {
    1470. 

  1470. 			slog.Error("error decoding request body: ", "error", err)
    1471. 

  1471. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1472. 

  1472. 			return
    1473. 

  1473. 		}
    1474. 

  1474. 	}
    1475. 

  1475. 	reqFromMobile := r.URL.Query().Get("from_mobile") == "true"
    1476. 

  1476. 	if req.RemoteAccessClientID == "" && remoteAccessClientID == "" {
    1477. 

  1477. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("remote access client id cannot be empty"), "badrequest"))
    1478. 

  1478. 		return
    1479. 

  1479. 	}
    1480. 

  1480. 	if req.RemoteAccessClientID == "" {
    1481. 

  1481. 		req.RemoteAccessClientID = remoteAccessClientID
    1482. 

  1482. 	}
    1483. 

  1483. 	userGws := make(map[string][]models.UserRemoteGws)
    1484. 

  1484. 	allextClients, err := logic.GetAllExtClients()
    1485. 

  1485. 	if err != nil {
    1486. 

  1486. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1487. 

  1487. 		return
    1488. 

  1488. 	}
    1489. 

  1489. 	userGwNodes := proLogic.GetUserRAGNodes(*user)
    1490. 

  1490. 

  1491. 	userExtClients := make(map[string][]models.ExtClient)
    1492. 

  1492. 

  1493. 	// group all extclients of the requesting user by ingress
    1494. 

  1494. 	// gateway.
    1495. 

  1495. 	for _, extClient := range allextClients {
    1496. 

  1496. 		// filter our extclients that don't belong to this user.
    1497. 

  1497. 		if extClient.OwnerID != username {
    1498. 

  1498. 			continue
    1499. 

  1499. 		}
    1500. 

  1500. 

  1501. 		_, ok := userExtClients[extClient.IngressGatewayID]
    1502. 

  1502. 		if !ok {
    1503. 

  1503. 			userExtClients[extClient.IngressGatewayID] = []models.ExtClient{}
    1504. 

  1504. 		}
    1505. 

  1505. 

  1506. 		userExtClients[extClient.IngressGatewayID] = append(userExtClients[extClient.IngressGatewayID], extClient)
    1507. 

  1507. 	}
    1508. 

  1508. 

  1509. 	for ingressGatewayID, extClients := range userExtClients {
    1510. 

  1510. 		logic.SortExtClient(extClients)
    1511. 

  1511. 

  1512. 		node, ok := userGwNodes[ingressGatewayID]
    1513. 

  1513. 		if !ok {
    1514. 

  1514. 			continue
    1515. 

  1515. 		}
    1516. 

  1516. 

  1517. 		var gwClient models.ExtClient
    1518. 

  1518. 		var found bool
    1519. 

  1519. 		if deviceID != "" {
    1520. 

  1520. 			for _, extClient := range extClients {
    1521. 

  1521. 				if extClient.DeviceID == deviceID {
    1522. 

  1522. 					gwClient = extClient
    1523. 

  1523. 					found = true
    1524. 

  1524. 					break
    1525. 

  1525. 				}
    1526. 

  1526. 			}
    1527. 

  1527. 		}
    1528. 

  1528. 

  1529. 		if !found {
    1530. 

  1530. 			// TODO: prevent ip clashes.
    1531. 

  1531. 			if len(extClients) > 0 {
    1532. 

  1532. 				gwClient = extClients[0]
    1533. 

  1533. 			}
    1534. 

  1534. 		}
    1535. 

  1535. 

  1536. 		host, err := logic.GetHost(node.HostID.String())
    1537. 

  1537. 		if err != nil {
    1538. 

  1538. 			continue
    1539. 

  1539. 		}
    1540. 

  1540. 		network, err := logic.GetNetwork(node.Network)
    1541. 

  1541. 		if err != nil {
    1542. 

  1542. 			slog.Error("failed to get node network", "error", err)
    1543. 

  1543. 			continue
    1544. 

  1544. 		}
    1545. 

  1545. 		nodesWithStatus := logic.AddStatusToNodes([]models.Node{node}, false)
    1546. 

  1546. 		if len(nodesWithStatus) > 0 {
    1547. 

  1547. 			node = nodesWithStatus[0]
    1548. 

  1548. 		}
    1549. 

  1549. 

  1550. 		gws := userGws[node.Network]
    1551. 

  1551. 		if gwClient.DNS == "" {
    1552. 

  1552. 			gwClient.DNS = node.IngressDNS
    1553. 

  1553. 		}
    1554. 

  1554. 

  1555. 		gwClient.IngressGatewayEndpoint = utils.GetExtClientEndpoint(
    1556. 

  1556. 			host.EndpointIP,
    1557. 

  1557. 			host.EndpointIPv6,
    1558. 

  1558. 			logic.GetPeerListenPort(host),
    1559. 

  1559. 		)
    1560. 

  1560. 		gwClient.AllowedIPs = logic.GetExtclientAllowedIPs(gwClient)
    1561. 

  1561. 		gw := models.UserRemoteGws{
    1562. 

  1562. 			GwID:              node.ID.String(),
    1563. 

  1563. 			GWName:            host.Name,
    1564. 

  1564. 			Network:           node.Network,
    1565. 

  1565. 			GwClient:          gwClient,
    1566. 

  1566. 			Connected:         true,
    1567. 

  1567. 			IsInternetGateway: node.IsInternetGateway,
    1568. 

  1568. 			GwPeerPublicKey:   host.PublicKey.String(),
    1569. 

  1569. 			GwListenPort:      logic.GetPeerListenPort(host),
    1570. 

  1570. 			Metadata:          node.Metadata,
    1571. 

  1571. 			AllowedEndpoints:  getAllowedRagEndpoints(&node, host),
    1572. 

  1572. 			NetworkAddresses:  []string{network.AddressRange, network.AddressRange6},
    1573. 

  1573. 			Status:            node.Status,
    1574. 

  1574. 			DnsAddress:        node.IngressDNS,
    1575. 

  1575. 			Addresses:         utils.NoEmptyStringToCsv(node.Address.String(), node.Address6.String()),
    1576. 

  1576. 		}
    1577. 

  1577. 		if !node.IsInternetGateway {
    1578. 

  1578. 			hNs := logic.GetNameserversForNode(&node)
    1579. 

  1579. 			for _, nsI := range hNs {
    1580. 

  1580. 				gw.MatchDomains = append(gw.MatchDomains, nsI.MatchDomain)
    1581. 

  1581. 			}
    1582. 

  1582. 		}
    1583. 

  1583. 		gw.MatchDomains = append(gw.MatchDomains, logic.GetEgressDomainsByAccess(user, models.NetworkID(node.Network))...)
    1584. 

  1584. 		gws = append(gws, gw)
    1585. 

  1585. 		userGws[node.Network] = gws
    1586. 

  1586. 		delete(userGwNodes, node.ID.String())
    1587. 

  1587. 	}
    1588. 

  1588. 

  1589. 	// add remaining gw nodes to resp
    1590. 

  1590. 	for gwID := range userGwNodes {
    1591. 

  1591. 		node, err := logic.GetNodeByID(gwID)
    1592. 

  1592. 		if err != nil {
    1593. 

  1593. 			continue
    1594. 

  1594. 		}
    1595. 

  1595. 		if !node.IsIngressGateway {
    1596. 

  1596. 			continue
    1597. 

  1597. 		}
    1598. 

  1598. 		if node.PendingDelete {
    1599. 

  1599. 			continue
    1600. 

  1600. 		}
    1601. 

  1601. 		host, err := logic.GetHost(node.HostID.String())
    1602. 

  1602. 		if err != nil {
    1603. 

  1603. 			continue
    1604. 

  1604. 		}
    1605. 

  1605. 		nodesWithStatus := logic.AddStatusToNodes([]models.Node{node}, false)
    1606. 

  1606. 		if len(nodesWithStatus) > 0 {
    1607. 

  1607. 			node = nodesWithStatus[0]
    1608. 

  1608. 		}
    1609. 

  1609. 		network, err := logic.GetNetwork(node.Network)
    1610. 

  1610. 		if err != nil {
    1611. 

  1611. 			slog.Error("failed to get node network", "error", err)
    1612. 

  1612. 		}
    1613. 

  1613. 		gws := userGws[node.Network]
    1614. 

  1614. 		gw := models.UserRemoteGws{
    1615. 

  1615. 			GwID:              node.ID.String(),
    1616. 

  1616. 			GWName:            host.Name,
    1617. 

  1617. 			Network:           node.Network,
    1618. 

  1618. 			IsInternetGateway: node.IsInternetGateway,
    1619. 

  1619. 			GwPeerPublicKey:   host.PublicKey.String(),
    1620. 

  1620. 			GwListenPort:      logic.GetPeerListenPort(host),
    1621. 

  1621. 			Metadata:          node.Metadata,
    1622. 

  1622. 			AllowedEndpoints:  getAllowedRagEndpoints(&node, host),
    1623. 

  1623. 			NetworkAddresses:  []string{network.AddressRange, network.AddressRange6},
    1624. 

  1624. 			Status:            node.Status,
    1625. 

  1625. 			DnsAddress:        node.IngressDNS,
    1626. 

  1626. 			Addresses:         utils.NoEmptyStringToCsv(node.Address.String(), node.Address6.String()),
    1627. 

  1627. 		}
    1628. 

  1628. 		if !node.IsInternetGateway {
    1629. 

  1629. 			hNs := logic.GetNameserversForNode(&node)
    1630. 

  1630. 			for _, nsI := range hNs {
    1631. 

  1631. 				gw.MatchDomains = append(gw.MatchDomains, nsI.MatchDomain)
    1632. 

  1632. 			}
    1633. 

  1633. 		}
    1634. 

  1634. 		gw.MatchDomains = append(gw.MatchDomains, logic.GetEgressDomainsByAccess(user, models.NetworkID(node.Network))...)
    1635. 

  1635. 		gws = append(gws, gw)
    1636. 

  1636. 		userGws[node.Network] = gws
    1637. 

  1637. 	}
    1638. 

  1638. 

  1639. 	if reqFromMobile {
    1640. 

  1640. 		// send resp in array format
    1641. 

  1641. 		userGwsArr := []models.UserRemoteGws{}
    1642. 

  1642. 		for _, userGwI := range userGws {
    1643. 

  1643. 			userGwsArr = append(userGwsArr, userGwI...)
    1644. 

  1644. 		}
    1645. 

  1645. 		logic.ReturnSuccessResponseWithJson(w, r, userGwsArr, "fetched gateways for user"+username)
    1646. 

  1646. 		return
    1647. 

  1647. 	}
    1648. 

  1648. 	slog.Debug("returned user gws", "user", username, "gws", userGws)
    1649. 

  1649. 	w.WriteHeader(http.StatusOK)
    1650. 

  1650. 	json.NewEncoder(w).Encode(userGws)
    1651. 

  1651. }
    1652. 

  1652. 

  1653. // @Summary     List users attached to an remote access gateway
    1654. 

  1654. // @Router      /api/nodes/{network}/{nodeid}/ingress/users [get]
    1655. 

  1655. // @Tags        PRO
    1656. 

  1656. // @Accept      json
    1657. 

  1657. // @Produce     json
    1658. 

  1658. // @Param       ingress_id path string true "Ingress Gateway ID"
    1659. 

  1659. // @Success     200 {array} models.IngressGwUsers
    1660. 

  1660. // @Failure     400 {object} models.ErrorResponse
    1661. 

  1661. // @Failure     500 {object} models.ErrorResponse
    1662. 

  1662. func ingressGatewayUsers(w http.ResponseWriter, r *http.Request) {
    1663. 

  1663. 	w.Header().Set("Content-Type", "application/json")
    1664. 

  1664. 	var params = mux.Vars(r)
    1665. 

  1665. 	ingressID := params["ingress_id"]
    1666. 

  1666. 	node, err := logic.GetNodeByID(ingressID)
    1667. 

  1667. 	if err != nil {
    1668. 

  1668. 		slog.Error("failed to get ingress node", "error", err)
    1669. 

  1669. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1670. 

  1670. 		return
    1671. 

  1671. 	}
    1672. 

  1672. 	gwUsers, err := logic.GetIngressGwUsers(node)
    1673. 

  1673. 	if err != nil {
    1674. 

  1674. 		slog.Error(
    1675. 

  1675. 			"failed to get users on ingress gateway",
    1676. 

  1676. 			"nodeid",
    1677. 

  1677. 			ingressID,
    1678. 

  1678. 			"network",
    1679. 

  1679. 			node.Network,
    1680. 

  1680. 			"user",
    1681. 

  1681. 			r.Header.Get("user"),
    1682. 

  1682. 			"error",
    1683. 

  1683. 			err,
    1684. 

  1684. 		)
    1685. 

  1685. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1686. 

  1686. 		return
    1687. 

  1687. 	}
    1688. 

  1688. 	w.WriteHeader(http.StatusOK)
    1689. 

  1689. 	json.NewEncoder(w).Encode(gwUsers)
    1690. 

  1690. }
    1691. 

  1691. 

  1692. func getAllowedRagEndpoints(ragNode *models.Node, ragHost *models.Host) []string {
    1693. 

  1693. 	endpoints := []string{}
    1694. 

  1694. 	if len(ragHost.EndpointIP) > 0 {
    1695. 

  1695. 		endpoints = append(endpoints, ragHost.EndpointIP.String())
    1696. 

  1696. 	}
    1697. 

  1697. 	if len(ragHost.EndpointIPv6) > 0 {
    1698. 

  1698. 		endpoints = append(endpoints, ragHost.EndpointIPv6.String())
    1699. 

  1699. 	}
    1700. 

  1700. 	if servercfg.IsPro {
    1701. 

  1701. 		for _, ip := range ragNode.AdditionalRagIps {
    1702. 

  1702. 			endpoints = append(endpoints, ip.String())
    1703. 

  1703. 		}
    1704. 

  1704. 	}
    1705. 

  1705. 	return endpoints
    1706. 

  1706. }
    1707. 

  1707. 

  1708. // @Summary     Get all pending users
    1709. 

  1709. // @Router      /api/users_pending [get]
    1710. 

  1710. // @Tags        Users
    1711. 

  1711. // @Success     200 {array} models.User
    1712. 

  1712. // @Failure     500 {object} models.ErrorResponse
    1713. 

  1713. func getPendingUsers(w http.ResponseWriter, r *http.Request) {
    1714. 

  1714. 	// set header.
    1715. 

  1715. 	w.Header().Set("Content-Type", "application/json")
    1716. 

  1716. 

  1717. 	users, err := logic.ListPendingReturnUsers()
    1718. 

  1718. 	if err != nil {
    1719. 

  1719. 		logger.Log(0, "failed to fetch users: ", err.Error())
    1720. 

  1720. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1721. 

  1721. 		return
    1722. 

  1722. 	}
    1723. 

  1723. 

  1724. 	logic.SortUsers(users[:])
    1725. 

  1725. 	logger.Log(2, r.Header.Get("user"), "fetched pending users")
    1726. 

  1726. 	json.NewEncoder(w).Encode(users)
    1727. 

  1727. }
    1728. 

  1728. 

  1729. // @Summary     Approve a pending user
    1730. 

  1730. // @Router      /api/users_pending/user/{username} [post]
    1731. 

  1731. // @Tags        Users
    1732. 

  1732. // @Param       username path string true "Username of the pending user to approve"
    1733. 

  1733. // @Success     200 {string} string
    1734. 

  1734. // @Failure     500 {object} models.ErrorResponse
    1735. 

  1735. func approvePendingUser(w http.ResponseWriter, r *http.Request) {
    1736. 

  1736. 	// set header.
    1737. 

  1737. 	w.Header().Set("Content-Type", "application/json")
    1738. 

  1738. 	var params = mux.Vars(r)
    1739. 

  1739. 	username := params["username"]
    1740. 

  1740. 	users, err := logic.ListPendingUsers()
    1741. 

  1741. 

  1742. 	if err != nil {
    1743. 

  1743. 		logger.Log(0, "failed to fetch users: ", err.Error())
    1744. 

  1744. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1745. 

  1745. 		return
    1746. 

  1746. 	}
    1747. 

  1747. 	for _, user := range users {
    1748. 

  1748. 		if user.UserName == username {
    1749. 

  1749. 			var newPass, fetchErr = logic.FetchPassValue("")
    1750. 

  1750. 			if fetchErr != nil {
    1751. 

  1751. 				logic.ReturnErrorResponse(w, r, logic.FormatError(fetchErr, "internal"))
    1752. 

  1752. 				return
    1753. 

  1753. 			}
    1754. 

  1754. 			if err = logic.CreateUser(&models.User{
    1755. 

  1755. 				UserName:                   user.UserName,
    1756. 

  1756. 				ExternalIdentityProviderID: user.ExternalIdentityProviderID,
    1757. 

  1757. 				Password:                   newPass,
    1758. 

  1758. 				AuthType:                   user.AuthType,
    1759. 

  1759. 				PlatformRoleID:             models.ServiceUser,
    1760. 

  1760. 			}); err != nil {
    1761. 

  1761. 				logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to create user: %s", err), "internal"))
    1762. 

  1762. 				return
    1763. 

  1763. 			}
    1764. 

  1764. 			err = logic.DeletePendingUser(username)
    1765. 

  1765. 			if err != nil {
    1766. 

  1766. 				logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to delete pending user: %s", err), "internal"))
    1767. 

  1767. 				return
    1768. 

  1768. 			}
    1769. 

  1769. 			break
    1770. 

  1770. 		}
    1771. 

  1771. 	}
    1772. 

  1772. 	logic.LogEvent(&models.Event{
    1773. 

  1773. 		Action: models.Create,
    1774. 

  1774. 		Source: models.Subject{
    1775. 

  1775. 			ID:   r.Header.Get("user"),
    1776. 

  1776. 			Name: r.Header.Get("user"),
    1777. 

  1777. 			Type: models.UserSub,
    1778. 

  1778. 		},
    1779. 

  1779. 		TriggeredBy: r.Header.Get("user"),
    1780. 

  1780. 		Target: models.Subject{
    1781. 

  1781. 			ID:   username,
    1782. 

  1782. 			Name: username,
    1783. 

  1783. 			Type: models.PendingUserSub,
    1784. 

  1784. 		},
    1785. 

  1785. 		Origin: models.Dashboard,
    1786. 

  1786. 	})
    1787. 

  1787. 	logic.ReturnSuccessResponse(w, r, "approved "+username)
    1788. 

  1788. }
    1789. 

  1789. 

  1790. // @Summary     Delete a pending user
    1791. 

  1791. // @Router      /api/users_pending/user/{username} [delete]
    1792. 

  1792. // @Tags        Users
    1793. 

  1793. // @Param       username path string true "Username of the pending user to delete"
    1794. 

  1794. // @Success     200 {string} string
    1795. 

  1795. // @Failure     500 {object} models.ErrorResponse
    1796. 

  1796. func deletePendingUser(w http.ResponseWriter, r *http.Request) {
    1797. 

  1797. 	// set header.
    1798. 

  1798. 	w.Header().Set("Content-Type", "application/json")
    1799. 

  1799. 	var params = mux.Vars(r)
    1800. 

  1800. 	username := params["username"]
    1801. 

  1801. 	users, err := logic.ListPendingReturnUsers()
    1802. 

  1802. 

  1803. 	if err != nil {
    1804. 

  1804. 		logger.Log(0, "failed to fetch users: ", err.Error())
    1805. 

  1805. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1806. 

  1806. 		return
    1807. 

  1807. 	}
    1808. 

  1808. 	for _, user := range users {
    1809. 

  1809. 		if user.UserName == username {
    1810. 

  1810. 			err = logic.DeletePendingUser(username)
    1811. 

  1811. 			if err != nil {
    1812. 

  1812. 				logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to delete pending user: %s", err), "internal"))
    1813. 

  1813. 				return
    1814. 

  1814. 			}
    1815. 

  1815. 			break
    1816. 

  1816. 		}
    1817. 

  1817. 	}
    1818. 

  1818. 	logic.LogEvent(&models.Event{
    1819. 

  1819. 		Action: models.Delete,
    1820. 

  1820. 		Source: models.Subject{
    1821. 

  1821. 			ID:   r.Header.Get("user"),
    1822. 

  1822. 			Name: r.Header.Get("user"),
    1823. 

  1823. 			Type: models.UserSub,
    1824. 

  1824. 		},
    1825. 

  1825. 		TriggeredBy: r.Header.Get("user"),
    1826. 

  1826. 		Target: models.Subject{
    1827. 

  1827. 			ID:   username,
    1828. 

  1828. 			Name: username,
    1829. 

  1829. 			Type: models.PendingUserSub,
    1830. 

  1830. 		},
    1831. 

  1831. 		Origin: models.Dashboard,
    1832. 

  1832. 	})
    1833. 

  1833. 	logic.ReturnSuccessResponse(w, r, "deleted pending "+username)
    1834. 

  1834. }
    1835. 

  1835. 

  1836. // @Summary     Delete all pending users
    1837. 

  1837. // @Router      /api/users_pending [delete]
    1838. 

  1838. // @Tags        Users
    1839. 

  1839. // @Success     200 {string} string
    1840. 

  1840. // @Failure     500 {object} models.ErrorResponse
    1841. 

  1841. func deleteAllPendingUsers(w http.ResponseWriter, r *http.Request) {
    1842. 

  1842. 	// set header.
    1843. 

  1843. 	err := database.DeleteAllRecords(database.PENDING_USERS_TABLE_NAME)
    1844. 

  1844. 	if err != nil {
    1845. 

  1845. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("failed to delete all pending users "+err.Error()), "internal"))
    1846. 

  1846. 		return
    1847. 

  1847. 	}
    1848. 

  1848. 	logic.LogEvent(&models.Event{
    1849. 

  1849. 		Action: models.DeleteAll,
    1850. 

  1850. 		Source: models.Subject{
    1851. 

  1851. 			ID:   r.Header.Get("user"),
    1852. 

  1852. 			Name: r.Header.Get("user"),
    1853. 

  1853. 			Type: models.UserSub,
    1854. 

  1854. 		},
    1855. 

  1855. 		TriggeredBy: r.Header.Get("user"),
    1856. 

  1856. 		Target: models.Subject{
    1857. 

  1857. 			ID:   r.Header.Get("user"),
    1858. 

  1858. 			Name: r.Header.Get("user"),
    1859. 

  1859. 			Type: models.PendingUserSub,
    1860. 

  1860. 		},
    1861. 

  1861. 		Origin: models.Dashboard,
    1862. 

  1862. 	})
    1863. 

  1863. 	logic.ReturnSuccessResponse(w, r, "cleared all pending users")
    1864. 

  1864. }
    1865. 

  1865. 

  1866. // @Summary     Sync users and groups from idp.
    1867. 

  1867. // @Router      /api/idp/sync [post]
    1868. 

  1868. // @Tags        IDP
    1869. 

  1869. // @Success     200 {object} models.SuccessResponse
    1870. 

  1870. func syncIDP(w http.ResponseWriter, r *http.Request) {
    1871. 

  1871. 	go func() {
    1872. 

  1872. 		err := proAuth.SyncFromIDP()
    1873. 

  1873. 		if err != nil {
    1874. 

  1874. 			logger.Log(0, "failed to sync from idp: ", err.Error())
    1875. 

  1875. 		} else {
    1876. 

  1876. 			logger.Log(0, "sync from idp complete")
    1877. 

  1877. 		}
    1878. 

  1878. 	}()
    1879. 

  1879. 

  1880. 	logic.ReturnSuccessResponse(w, r, "starting sync from idp")
    1881. 

  1881. }
    1882. 

  1882. 

  1883. // @Summary     Test IDP Sync Credentials.
    1884. 

  1884. // @Router      /api/idp/sync/test [post]
    1885. 

  1885. // @Tags        IDP
    1886. 

  1886. // @Success     200 {object} models.SuccessResponse
    1887. 

  1887. // @Failure     400 {object} models.ErrorResponse
    1888. 

  1888. func testIDPSync(w http.ResponseWriter, r *http.Request) {
    1889. 

  1889. 	var req models.IDPSyncTestRequest
    1890. 

  1890. 	err := json.NewDecoder(r.Body).Decode(&req)
    1891. 

  1891. 	if err != nil {
    1892. 

  1892. 		err = fmt.Errorf("failed to decode request body: %v", err)
    1893. 

  1893. 		logger.Log(0, err.Error())
    1894. 

  1894. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1895. 

  1895. 		return
    1896. 

  1896. 	}
    1897. 

  1897. 

  1898. 	var idpClient idp.Client
    1899. 

  1899. 	switch req.AuthProvider {
    1900. 

  1900. 	case "google":
    1901. 

  1901. 		idpClient, err = google.NewGoogleWorkspaceClient(req.GoogleAdminEmail, req.GoogleSACredsJson)
    1902. 

  1902. 		if err != nil {
    1903. 

  1903. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1904. 

  1904. 			return
    1905. 

  1905. 		}
    1906. 

  1906. 	case "azure-ad":
    1907. 

  1907. 		idpClient = azure.NewAzureEntraIDClient(req.ClientID, req.ClientSecret, req.AzureTenantID)
    1908. 

  1908. 	case "okta":
    1909. 

  1909. 		idpClient, err = okta.NewOktaClient(req.OktaOrgURL, req.OktaAPIToken)
    1910. 

  1910. 		if err != nil {
    1911. 

  1911. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1912. 

  1912. 			return
    1913. 

  1913. 		}
    1914. 

  1914. 	default:
    1915. 

  1915. 		err = fmt.Errorf("invalid auth provider: %s", req.AuthProvider)
    1916. 

  1916. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1917. 

  1917. 		return
    1918. 

  1918. 	}
    1919. 

  1919. 

  1920. 	err = idpClient.Verify()
    1921. 

  1921. 	if err != nil {
    1922. 

  1922. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1923. 

  1923. 		return
    1924. 

  1924. 	}
    1925. 

  1925. 

  1926. 	logic.ReturnSuccessResponse(w, r, "idp sync test successful")
    1927. 

  1927. }
    1928. 

  1928. 

  1929. // @Summary     Gets idp sync status.
    1930. 

  1930. // @Router      /api/idp/sync/status [get]
    1931. 

  1931. // @Tags        IDP
    1932. 

  1932. // @Success     200 {object} models.SuccessResponse
    1933. 

  1933. func getIDPSyncStatus(w http.ResponseWriter, r *http.Request) {
    1934. 

  1934. 	logic.ReturnSuccessResponseWithJson(w, r, proAuth.GetIDPSyncStatus(), "idp sync status retrieved")
    1935. 

  1935. }
    1936. 

  1936. 

  1937. // @Summary     Remove idp integration.
    1938. 

  1938. // @Router      /api/idp [delete]
    1939. 

  1939. // @Tags        IDP
    1940. 

  1940. // @Success     200 {object} models.SuccessResponse
    1941. 

  1941. // @Failure     500 {object} models.ErrorResponse
    1942. 

  1942. func removeIDPIntegration(w http.ResponseWriter, r *http.Request) {
    1943. 

  1943. 	superAdmin, err := logic.GetSuperAdmin()
    1944. 

  1944. 	if err != nil {
    1945. 

  1945. 		logic.ReturnErrorResponse(
    1946. 

  1946. 			w,
    1947. 

  1947. 			r,
    1948. 

  1948. 			logic.FormatError(fmt.Errorf("failed to get superadmin: %v", err), "internal"),
    1949. 

  1949. 		)
    1950. 

  1950. 		return
    1951. 

  1951. 	}
    1952. 

  1952. 

  1953. 	if superAdmin.AuthType == models.OAuth {
    1954. 

  1954. 		err := fmt.Errorf(
    1955. 

  1955. 			"cannot remove IdP integration because an OAuth user has the super-admin role; transfer the super-admin role to another user first",
    1956. 

  1956. 		)
    1957. 

  1957. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1958. 

  1958. 		return
    1959. 

  1959. 	}
    1960. 

  1960. 

  1961. 	settings := logic.GetServerSettings()
    1962. 

  1962. 	settings.AuthProvider = ""
    1963. 

  1963. 	settings.OIDCIssuer = ""
    1964. 

  1964. 	settings.ClientID = ""
    1965. 

  1965. 	settings.ClientSecret = ""
    1966. 

  1966. 	settings.SyncEnabled = false
    1967. 

  1967. 	settings.GoogleAdminEmail = ""
    1968. 

  1968. 	settings.GoogleSACredsJson = ""
    1969. 

  1969. 	settings.AzureTenant = ""
    1970. 

  1970. 	settings.UserFilters = nil
    1971. 

  1971. 	settings.GroupFilters = nil
    1972. 

  1972. 

  1973. 	err = logic.UpsertServerSettings(settings)
    1974. 

  1974. 	if err != nil {
    1975. 

  1975. 		logic.ReturnErrorResponse(
    1976. 

  1976. 			w,
    1977. 

  1977. 			r,
    1978. 

  1978. 			logic.FormatError(fmt.Errorf("failed to remove idp integration: %v", err), "internal"),
    1979. 

  1979. 		)
    1980. 

  1980. 		return
    1981. 

  1981. 	}
    1982. 

  1982. 

  1983. 	proAuth.ResetAuthProvider()
    1984. 

  1984. 	proAuth.ResetIDPSyncHook()
    1985. 

  1985. 

  1986. 	go func() {
    1987. 

  1987. 		err := proAuth.SyncFromIDP()
    1988. 

  1988. 		if err != nil {
    1989. 

  1989. 			logger.Log(0, "failed to sync from idp: ", err.Error())
    1990. 

  1990. 		} else {
    1991. 

  1991. 			logger.Log(0, "sync from idp complete")
    1992. 

  1992. 		}
    1993. 

  1993. 	}()
    1994. 

  1994. 

  1995. 	logic.ReturnSuccessResponse(w, r, "removed idp integration successfully")
    1996. 

  1996. }
    1997.