netmaker/pro/controllers/users.go

package controllers

import (
	"context"
	"encoding/json"
	"errors"
	"fmt"
	"net/http"
	"net/url"
	"strings"
	"time"

	"github.com/gravitl/netmaker/pro/idp"
	"github.com/gravitl/netmaker/pro/idp/azure"
	"github.com/gravitl/netmaker/pro/idp/google"
	"github.com/gravitl/netmaker/pro/idp/okta"

	"github.com/google/uuid"
	"github.com/gorilla/mux"
	"github.com/gravitl/netmaker/database"
	"github.com/gravitl/netmaker/logger"
	"github.com/gravitl/netmaker/logic"
	"github.com/gravitl/netmaker/models"
	"github.com/gravitl/netmaker/mq"
	proAuth "github.com/gravitl/netmaker/pro/auth"
	"github.com/gravitl/netmaker/pro/email"
	proLogic "github.com/gravitl/netmaker/pro/logic"
	"github.com/gravitl/netmaker/servercfg"
	"github.com/gravitl/netmaker/utils"
	"golang.org/x/exp/slog"
)

func UserHandlers(r *mux.Router) {

	r.HandleFunc("/api/oauth/login", proAuth.HandleAuthLogin).Methods(http.MethodGet)
	r.HandleFunc("/api/oauth/callback", proAuth.HandleAuthCallback).Methods(http.MethodGet)
	r.HandleFunc("/api/oauth/headless", proAuth.HandleHeadlessSSO)
	r.HandleFunc("/api/oauth/register/{regKey}", proAuth.RegisterHostSSO).Methods(http.MethodGet)

	// User Role Handlers
	r.HandleFunc("/api/v1/users/role", logic.SecurityCheck(true, http.HandlerFunc(getRole))).Methods(http.MethodGet)
	r.HandleFunc("/api/v1/users/role", logic.SecurityCheck(true, http.HandlerFunc(createRole))).Methods(http.MethodPost)
	r.HandleFunc("/api/v1/users/role", logic.SecurityCheck(true, http.HandlerFunc(updateRole))).Methods(http.MethodPut)
	r.HandleFunc("/api/v1/users/role", logic.SecurityCheck(true, http.HandlerFunc(deleteRole))).Methods(http.MethodDelete)

	// User Group Handlers
	r.HandleFunc("/api/v1/users/groups", logic.SecurityCheck(true, http.HandlerFunc(listUserGroups))).Methods(http.MethodGet)
	r.HandleFunc("/api/v1/users/group", logic.SecurityCheck(true, http.HandlerFunc(getUserGroup))).Methods(http.MethodGet)
	r.HandleFunc("/api/v1/users/group", logic.SecurityCheck(true, http.HandlerFunc(createUserGroup))).Methods(http.MethodPost)
	r.HandleFunc("/api/v1/users/group", logic.SecurityCheck(true, http.HandlerFunc(updateUserGroup))).Methods(http.MethodPut)
	r.HandleFunc("/api/v1/users/group", logic.SecurityCheck(true, http.HandlerFunc(deleteUserGroup))).Methods(http.MethodDelete)
	r.HandleFunc("/api/v1/users/add_network_user", logic.SecurityCheck(true, http.HandlerFunc(addUsertoNetwork))).Methods(http.MethodPut)
	r.HandleFunc("/api/v1/users/remove_network_user", logic.SecurityCheck(true, http.HandlerFunc(removeUserfromNetwork))).Methods(http.MethodPut)

	// User Invite Handlers
	r.HandleFunc("/api/v1/users/invite", userInviteVerify).Methods(http.MethodGet)
	r.HandleFunc("/api/v1/users/invite-signup", userInviteSignUp).Methods(http.MethodPost)
	r.HandleFunc("/api/v1/users/invite", logic.SecurityCheck(true, http.HandlerFunc(inviteUsers))).Methods(http.MethodPost)
	r.HandleFunc("/api/v1/users/invites", logic.SecurityCheck(true, http.HandlerFunc(listUserInvites))).Methods(http.MethodGet)
	r.HandleFunc("/api/v1/users/invite", logic.SecurityCheck(true, http.HandlerFunc(deleteUserInvite))).Methods(http.MethodDelete)
	r.HandleFunc("/api/v1/users/invites", logic.SecurityCheck(true, http.HandlerFunc(deleteAllUserInvites))).Methods(http.MethodDelete)

	r.HandleFunc("/api/users_pending", logic.SecurityCheck(true, http.HandlerFunc(getPendingUsers))).Methods(http.MethodGet)
	r.HandleFunc("/api/users_pending", logic.SecurityCheck(true, http.HandlerFunc(deleteAllPendingUsers))).Methods(http.MethodDelete)
	r.HandleFunc("/api/users_pending/user/{username}", logic.SecurityCheck(true, http.HandlerFunc(deletePendingUser))).Methods(http.MethodDelete)
	r.HandleFunc("/api/users_pending/user/{username}", logic.SecurityCheck(true, http.HandlerFunc(approvePendingUser))).Methods(http.MethodPost)

	r.HandleFunc("/api/users/{username}/remote_access_gw/{remote_access_gateway_id}", logic.SecurityCheck(true, http.HandlerFunc(attachUserToRemoteAccessGw))).Methods(http.MethodPost)
	r.HandleFunc("/api/users/{username}/remote_access_gw/{remote_access_gateway_id}", logic.SecurityCheck(true, http.HandlerFunc(removeUserFromRemoteAccessGW))).Methods(http.MethodDelete)
	r.HandleFunc("/api/users/{username}/remote_access_gw", logic.SecurityCheck(false, logic.ContinueIfUserMatch(http.HandlerFunc(getUserRemoteAccessGwsV1)))).Methods(http.MethodGet)
	r.HandleFunc("/api/users/ingress/{ingress_id}", logic.SecurityCheck(true, http.HandlerFunc(ingressGatewayUsers))).Methods(http.MethodGet)

	r.HandleFunc("/api/idp/sync", logic.SecurityCheck(true, http.HandlerFunc(syncIDP))).Methods(http.MethodPost)
	r.HandleFunc("/api/idp/sync/test", logic.SecurityCheck(true, http.HandlerFunc(testIDPSync))).Methods(http.MethodPost)
	r.HandleFunc("/api/idp/sync/status", logic.SecurityCheck(true, http.HandlerFunc(getIDPSyncStatus))).Methods(http.MethodGet)
	r.HandleFunc("/api/idp", logic.SecurityCheck(true, http.HandlerFunc(removeIDPIntegration))).Methods(http.MethodDelete)
}

// swagger:route POST /api/v1/users/invite-signup user userInviteSignUp
//
// user signup via invite.
//
//	Schemes: https
//
//	Responses:
//		200: ReturnSuccessResponse
func userInviteSignUp(w http.ResponseWriter, r *http.Request) {
	email := r.URL.Query().Get("email")
	code := r.URL.Query().Get("invite_code")
	in, err := logic.GetUserInvite(email)
	if err != nil {
		logger.Log(0, "failed to fetch users: ", err.Error())
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
		return
	}
	if code != in.InviteCode {
		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("invalid invite code"), "badrequest"))
		return
	}
	// check if user already exists
	_, err = logic.GetUser(email)
	if err == nil {
		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("user already exists"), "badrequest"))
		return
	}
	var user models.User
	err = json.NewDecoder(r.Body).Decode(&user)
	if err != nil {
		logger.Log(0, user.UserName, "error decoding request body: ",
			err.Error())
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
		return
	}
	if user.UserName != email {
		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("username not matching with invite"), "badrequest"))
		return
	}
	if user.Password == "" {
		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("password cannot be empty"), "badrequest"))
		return
	}

	user.UserGroups = in.UserGroups
	user.PlatformRoleID = models.UserRoleID(in.PlatformRoleID)
	if user.PlatformRoleID == "" {
		user.PlatformRoleID = models.ServiceUser
	}
	user.NetworkRoles = in.NetworkRoles
	err = logic.CreateUser(&user)
	if err != nil {
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
		return
	}
	// delete invite
	logic.DeleteUserInvite(email)
	logic.DeletePendingUser(email)
	w.Header().Set("Access-Control-Allow-Origin", "*")
	logic.ReturnSuccessResponse(w, r, "created user successfully "+email)
}

// swagger:route GET /api/v1/users/invite user userInviteVerify
//
// verfies user invite.
//
//	Schemes: https
//
//	Responses:
//		200: ReturnSuccessResponse
func userInviteVerify(w http.ResponseWriter, r *http.Request) {
	email := r.URL.Query().Get("email")
	code := r.URL.Query().Get("invite_code")
	err := logic.ValidateAndApproveUserInvite(email, code)
	if err != nil {
		logger.Log(0, "failed to fetch users: ", err.Error())
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
		return
	}
	logic.ReturnSuccessResponse(w, r, "invite is valid")
}

// swagger:route POST /api/v1/users/invite user inviteUsers
//
// invite users.
//
//			Schemes: https
//
//			Security:
//	  		oauth
//
//			Responses:
//				200: userBodyResponse
func inviteUsers(w http.ResponseWriter, r *http.Request) {
	var inviteReq models.InviteUsersReq
	err := json.NewDecoder(r.Body).Decode(&inviteReq)
	if err != nil {
		slog.Error("error decoding request body", "error",
			err.Error())
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
		return
	}
	callerUserName := r.Header.Get("user")
	if r.Header.Get("ismaster") != "yes" {
		caller, err := logic.GetUser(callerUserName)
		if err != nil {
			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "notfound"))
			return
		}
		if inviteReq.PlatformRoleID == models.SuperAdminRole.String() {
			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("super admin cannot be invited"), "badrequest"))
			return
		}
		if inviteReq.PlatformRoleID == "" {
			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("platform role id cannot be empty"), "badrequest"))
			return
		}
		if (inviteReq.PlatformRoleID == models.AdminRole.String() ||
			inviteReq.PlatformRoleID == models.SuperAdminRole.String()) && caller.PlatformRoleID != models.SuperAdminRole {
			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("only superadmin can invite admin users"), "forbidden"))
			return
		}
	}

	//validate Req
	err = proLogic.IsGroupsValid(inviteReq.UserGroups)
	if err != nil {
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
		return
	}
	err = proLogic.IsNetworkRolesValid(inviteReq.NetworkRoles)
	if err != nil {
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
		return
	}

	// check platform role
	_, err = logic.GetRole(models.UserRoleID(inviteReq.PlatformRoleID))
	if err != nil {
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
		return
	}
	for _, inviteeEmail := range inviteReq.UserEmails {
		inviteeEmail = strings.ToLower(inviteeEmail)
		// check if user with email exists, then ignore
		if !email.IsValid(inviteeEmail) {
			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("invalid email "+inviteeEmail), "badrequest"))
			return
		}
		_, err := logic.GetUser(inviteeEmail)
		if err == nil {
			// user exists already, so ignore
			continue
		}
		invite := models.UserInvite{
			Email:          inviteeEmail,
			PlatformRoleID: inviteReq.PlatformRoleID,
			UserGroups:     inviteReq.UserGroups,
			NetworkRoles:   inviteReq.NetworkRoles,
			InviteCode:     logic.RandomString(8),
		}
		frontendURL := strings.TrimSuffix(servercfg.GetFrontendURL(), "/")
		if frontendURL == "" {
			frontendURL = fmt.Sprintf("https://dashboard.%s", servercfg.GetNmBaseDomain())
		}
		u, err := url.Parse(fmt.Sprintf("%s/invite?email=%s&invite_code=%s",
			frontendURL, url.QueryEscape(invite.Email), url.QueryEscape(invite.InviteCode)))
		if err != nil {
			slog.Error("failed to parse to invite url", "error", err)
			return
		}
		if servercfg.DeployedByOperator() {
			u, err = url.Parse(fmt.Sprintf("%s/invite?tenant_id=%s&email=%s&invite_code=%s",
				proLogic.GetAccountsUIHost(), url.QueryEscape(servercfg.GetNetmakerTenantID()), url.QueryEscape(invite.Email), url.QueryEscape(invite.InviteCode)))
			if err != nil {
				slog.Error("failed to parse to invite url", "error", err)
				return
			}
		}
		invite.InviteURL = u.String()
		err = logic.InsertUserInvite(invite)
		if err != nil {
			slog.Error("failed to insert invite for user", "email", invite.Email, "error", err)
		}
		logic.LogEvent(&models.Event{
			Action: models.Create,
			Source: models.Subject{
				ID:   callerUserName,
				Name: callerUserName,
				Type: models.UserSub,
				Info: invite,
			},
			TriggeredBy: callerUserName,
			Target: models.Subject{
				ID:   inviteeEmail,
				Name: inviteeEmail,
				Type: models.UserInviteSub,
			},
			Origin: models.Dashboard,
		})
		// notify user with magic link
		go func(invite models.UserInvite) {
			// Set E-Mail body. You can set plain text or html with text/html

			e := email.UserInvitedMail{
				BodyBuilder:    &email.EmailBodyBuilderWithH1HeadlineAndImage{},
				InviteURL:      invite.InviteURL,
				PlatformRoleID: invite.PlatformRoleID,
			}
			n := email.Notification{
				RecipientMail: invite.Email,
			}
			err = email.GetClient().SendEmail(context.Background(), n, e)
			if err != nil {
				slog.Error("failed to send email invite", "user", invite.Email, "error", err)
			}
		}(invite)
	}

	logic.ReturnSuccessResponse(w, r, "triggered user invites")
}

// swagger:route GET /api/v1/users/invites user listUserInvites
//
// lists all pending invited users.
//
//			Schemes: https
//
//			Security:
//	  		oauth
//
//			Responses:
//				200: ReturnSuccessResponseWithJson
func listUserInvites(w http.ResponseWriter, r *http.Request) {
	usersInvites, err := logic.ListUserInvites()
	if err != nil {
		logger.Log(0, "failed to fetch users: ", err.Error())
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
		return
	}
	logic.ReturnSuccessResponseWithJson(w, r, usersInvites, "fetched pending user invites")
}

// swagger:route DELETE /api/v1/users/invite user deleteUserInvite
//
// delete pending invite.
//
//			Schemes: https
//
//			Security:
//	  		oauth
//
//			Responses:
//				200: ReturnSuccessResponse
func deleteUserInvite(w http.ResponseWriter, r *http.Request) {
	email := r.URL.Query().Get("invitee_email")
	err := logic.DeleteUserInvite(email)
	if err != nil {
		logger.Log(0, "failed to delete user invite: ", email, err.Error())
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
		return
	}
	logic.LogEvent(&models.Event{
		Action: models.Delete,
		Source: models.Subject{
			ID:   r.Header.Get("user"),
			Name: r.Header.Get("user"),
			Type: models.UserSub,
		},
		TriggeredBy: r.Header.Get("user"),
		Target: models.Subject{
			ID:   email,
			Name: email,
			Type: models.UserInviteSub,
		},
		Origin: models.Dashboard,
	})
	logic.ReturnSuccessResponse(w, r, "deleted user invite")
}

// swagger:route DELETE /api/v1/users/invites user deleteAllUserInvites
//
// deletes all pending invites.
//
//			Schemes: https
//
//			Security:
//	  		oauth
//
//			Responses:
//				200: ReturnSuccessResponse
func deleteAllUserInvites(w http.ResponseWriter, r *http.Request) {
	err := database.DeleteAllRecords(database.USER_INVITES_TABLE_NAME)
	if err != nil {
		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("failed to delete all pending user invites "+err.Error()), "internal"))
		return
	}
	logic.LogEvent(&models.Event{
		Action: models.DeleteAll,
		Source: models.Subject{
			ID:   r.Header.Get("user"),
			Name: r.Header.Get("user"),
			Type: models.UserSub,
		},
		TriggeredBy: r.Header.Get("user"),
		Target: models.Subject{
			ID:   "All Invites",
			Name: "All Invites",
			Type: models.UserInviteSub,
		},
		Origin: models.Dashboard,
	})
	logic.ReturnSuccessResponse(w, r, "cleared all pending user invites")
}

// swagger:route GET /api/v1/user/groups user listUserGroups
//
// Get all user groups.
//
//			Schemes: https
//
//			Security:
//	  		oauth
//
//			Responses:
//				200: userBodyResponse
func listUserGroups(w http.ResponseWriter, r *http.Request) {
	groups, err := proLogic.ListUserGroups()
	if err != nil {
		logic.ReturnErrorResponse(w, r, models.ErrorResponse{
			Code:    http.StatusInternalServerError,
			Message: err.Error(),
		})
		return
	}
	logic.ReturnSuccessResponseWithJson(w, r, groups, "successfully fetched user groups")
}

// swagger:route GET /api/v1/user/group user getUserGroup
//
// Get user group.
//
//			Schemes: https
//
//			Security:
//	  		oauth
//
//			Responses:
//				200: userBodyResponse
func getUserGroup(w http.ResponseWriter, r *http.Request) {

	gid := r.URL.Query().Get("group_id")
	if gid == "" {
		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("group id is required"), "badrequest"))
		return
	}
	group, err := proLogic.GetUserGroup(models.UserGroupID(gid))
	if err != nil {
		logic.ReturnErrorResponse(w, r, models.ErrorResponse{
			Code:    http.StatusInternalServerError,
			Message: err.Error(),
		})
		return
	}
	logic.ReturnSuccessResponseWithJson(w, r, group, "successfully fetched user group")
}

// swagger:route POST /api/v1/user/group user createUserGroup
//
// Create user groups.
//
//			Schemes: https
//
//			Security:
//	  		oauth
//
//			Responses:
//				200: userBodyResponse
func createUserGroup(w http.ResponseWriter, r *http.Request) {
	var userGroupReq models.CreateGroupReq
	err := json.NewDecoder(r.Body).Decode(&userGroupReq)
	if err != nil {
		slog.Error("error decoding request body", "error",
			err.Error())
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
		return
	}
	err = proLogic.ValidateCreateGroupReq(userGroupReq.Group)
	if err != nil {
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
		return
	}
	err = proLogic.CreateUserGroup(&userGroupReq.Group)
	if err != nil {
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
		return
	}

	for networkID := range userGroupReq.Group.NetworkRoles {
		network, err := logic.GetNetwork(networkID.String())
		if err != nil {
			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
			return
		}

		acl := models.Acl{
			ID:          uuid.New().String(),
			Name:        fmt.Sprintf("%s group", userGroupReq.Group.Name),
			MetaData:    "This Policy allows user group to communicate with all gateways",
			Default:     false,
			ServiceType: models.Any,
			NetworkID:   models.NetworkID(network.NetID),
			Proto:       models.ALL,
			RuleType:    models.UserPolicy,
			Src: []models.AclPolicyTag{
				{
					ID:    models.UserGroupAclID,
					Value: userGroupReq.Group.ID.String(),
				},
			},
			Dst: []models.AclPolicyTag{
				{
					ID:    models.NodeTagID,
					Value: fmt.Sprintf("%s.%s", models.NetworkID(network.NetID), models.GwTagName),
				}},
			AllowedDirection: models.TrafficDirectionUni,
			Enabled:          true,
			CreatedBy:        "auto",
			CreatedAt:        time.Now().UTC(),
		}
		err = logic.InsertAcl(acl)
		if err != nil {
			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
			return
		}
	}

	for _, userID := range userGroupReq.Members {
		user, err := logic.GetUser(userID)
		if err != nil {
			continue
		}
		if len(user.UserGroups) == 0 {
			user.UserGroups = make(map[models.UserGroupID]struct{})
		}
		user.UserGroups[userGroupReq.Group.ID] = struct{}{}
		logic.UpsertUser(*user)
	}
	logic.LogEvent(&models.Event{
		Action: models.Create,
		Source: models.Subject{
			ID:   r.Header.Get("user"),
			Name: r.Header.Get("user"),
			Type: models.UserSub,
		},
		TriggeredBy: r.Header.Get("user"),
		Target: models.Subject{
			ID:   userGroupReq.Group.ID.String(),
			Name: userGroupReq.Group.Name,
			Type: models.UserGroupSub,
		},
		Origin: models.Dashboard,
	})
	logic.ReturnSuccessResponseWithJson(w, r, userGroupReq.Group, "created user group")
}

// swagger:route PUT /api/v1/user/group user updateUserGroup
//
// Update user group.
//
//			Schemes: https
//
//			Security:
//	  		oauth
//
//			Responses:
//				200: userBodyResponse
func updateUserGroup(w http.ResponseWriter, r *http.Request) {
	var userGroup models.UserGroup
	err := json.NewDecoder(r.Body).Decode(&userGroup)
	if err != nil {
		slog.Error("error decoding request body", "error",
			err.Error())
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
		return
	}
	// fetch curr group
	currUserG, err := proLogic.GetUserGroup(userGroup.ID)
	if err != nil {
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
		return
	}
	if currUserG.Default {
		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot update default user group"), "badrequest"))
		return
	}
	err = proLogic.ValidateUpdateGroupReq(userGroup)
	if err != nil {
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
		return
	}

	userGroup.ExternalIdentityProviderID = currUserG.ExternalIdentityProviderID

	err = proLogic.UpdateUserGroup(userGroup)
	if err != nil {
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
		return
	}
	logic.LogEvent(&models.Event{
		Action: models.Update,
		Source: models.Subject{
			ID:   r.Header.Get("user"),
			Name: r.Header.Get("user"),
			Type: models.UserSub,
		},
		TriggeredBy: r.Header.Get("user"),
		Target: models.Subject{
			ID:   userGroup.ID.String(),
			Name: userGroup.Name,
			Type: models.UserGroupSub,
		},
		Diff: models.Diff{
			Old: currUserG,
			New: userGroup,
		},
		Origin: models.Dashboard,
	})

	go func() {
		networksAdded := make([]models.NetworkID, 0)
		networksRemoved := make([]models.NetworkID, 0)

		for networkID := range userGroup.NetworkRoles {
			if _, ok := currUserG.NetworkRoles[networkID]; !ok {
				networksAdded = append(networksAdded, networkID)
			}
		}

		for networkID := range currUserG.NetworkRoles {
			if _, ok := userGroup.NetworkRoles[networkID]; !ok {
				networksRemoved = append(networksRemoved, networkID)
			}
		}

		for _, networkID := range networksAdded {
			// ensure the network exists.
			network, err := logic.GetNetwork(networkID.String())
			if err != nil {
				continue
			}

			// insert acl if the network is added to the group.
			acl := models.Acl{
				ID:          uuid.New().String(),
				Name:        fmt.Sprintf("%s group", userGroup.Name),
				MetaData:    "This Policy allows user group to communicate with all gateways",
				Default:     false,
				ServiceType: models.Any,
				NetworkID:   models.NetworkID(network.NetID),
				Proto:       models.ALL,
				RuleType:    models.UserPolicy,
				Src: []models.AclPolicyTag{
					{
						ID:    models.UserGroupAclID,
						Value: userGroup.ID.String(),
					},
				},
				Dst: []models.AclPolicyTag{
					{
						ID:    models.NodeTagID,
						Value: fmt.Sprintf("%s.%s", models.NetworkID(network.NetID), models.GwTagName),
					}},
				AllowedDirection: models.TrafficDirectionUni,
				Enabled:          true,
				CreatedBy:        "auto",
				CreatedAt:        time.Now().UTC(),
			}
			_ = logic.InsertAcl(acl)
		}

		// since this group doesn't have a role for this network,
		// there is no point in having this group as src in any
		// of the network's acls.
		for _, networkID := range networksRemoved {
			acls, err := logic.ListAclsByNetwork(networkID)
			if err != nil {
				continue
			}

			for _, acl := range acls {
				var hasGroupSrc bool
				newAclSrc := make([]models.AclPolicyTag, 0)
				for _, src := range acl.Src {
					if src.ID == models.UserGroupAclID && src.Value == userGroup.ID.String() {
						hasGroupSrc = true
					} else {
						newAclSrc = append(newAclSrc, src)
					}
				}

				if hasGroupSrc {
					if len(newAclSrc) == 0 {
						// no other src exists, delete acl.
						_ = logic.DeleteAcl(acl)
					} else {
						// other sources exist, update acl.
						acl.Src = newAclSrc
						_ = logic.UpsertAcl(acl)
					}
				}
			}
		}
	}()

	// reset configs for service user
	go proLogic.UpdatesUserGwAccessOnGrpUpdates(currUserG.NetworkRoles, userGroup.NetworkRoles)
	logic.ReturnSuccessResponseWithJson(w, r, userGroup, "updated user group")
}

// swagger:route PUT /api/v1/users/add_network_user user addUsertoNetwork
//
// add user to network.
//
//			Schemes: https
//
//			Security:
//	  		oauth
//
//			Responses:
//				200: userBodyResponse
func addUsertoNetwork(w http.ResponseWriter, r *http.Request) {
	username := r.URL.Query().Get("username")
	if username == "" {
		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("username is required"), logic.BadReq))
		return
	}
	netID := r.URL.Query().Get("network_id")
	if netID == "" {
		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("network is required"), logic.BadReq))
		return
	}
	user, err := logic.GetUser(username)
	if err != nil {
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, logic.BadReq))
		return
	}
	if user.PlatformRoleID != models.ServiceUser {
		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("can only add service users"), logic.BadReq))
		return
	}
	oldUser := *user
	user.UserGroups[proLogic.GetDefaultNetworkUserGroupID(models.NetworkID(netID))] = struct{}{}
	logic.UpsertUser(*user)
	logic.LogEvent(&models.Event{
		Action: models.Update,
		Source: models.Subject{
			ID:   r.Header.Get("user"),
			Name: r.Header.Get("user"),
			Type: models.UserSub,
		},
		TriggeredBy: r.Header.Get("user"),
		Target: models.Subject{
			ID:   user.UserName,
			Name: user.UserName,
			Type: models.UserSub,
		},
		Diff: models.Diff{
			Old: oldUser,
			New: user,
		},
		Origin: models.Dashboard,
	})

	logic.ReturnSuccessResponseWithJson(w, r, user, "updated user group")
}

// swagger:route PUT /api/v1/users/remove_network_user user removeUserfromNetwork
//
// add user to network.
//
//			Schemes: https
//
//			Security:
//	  		oauth
//
//			Responses:
//				200: userBodyResponse
func removeUserfromNetwork(w http.ResponseWriter, r *http.Request) {
	username := r.URL.Query().Get("username")
	if username == "" {
		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("username is required"), logic.BadReq))
		return
	}
	netID := r.URL.Query().Get("network_id")
	if netID == "" {
		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("network is required"), logic.BadReq))
		return
	}
	user, err := logic.GetUser(username)
	if err != nil {
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, logic.BadReq))
		return
	}
	if user.PlatformRoleID != models.ServiceUser {
		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("can only add service users"), logic.BadReq))
		return
	}
	oldUser := *user
	delete(user.UserGroups, proLogic.GetDefaultNetworkUserGroupID(models.NetworkID(netID)))
	logic.UpsertUser(*user)
	logic.LogEvent(&models.Event{
		Action: models.Update,
		Source: models.Subject{
			ID:   r.Header.Get("user"),
			Name: r.Header.Get("user"),
			Type: models.UserSub,
		},
		TriggeredBy: r.Header.Get("user"),
		Target: models.Subject{
			ID:   user.UserName,
			Name: user.UserName,
			Type: models.UserSub,
		},
		Diff: models.Diff{
			Old: oldUser,
			New: user,
		},
		Origin: models.Dashboard,
	})

	logic.ReturnSuccessResponseWithJson(w, r, user, "updated user group")
}

// swagger:route DELETE /api/v1/user/group user deleteUserGroup
//
// delete user group.
//
//			Schemes: https
//
//			Security:
//	  		oauth
//
//			Responses:
//				200: userBodyResponse
//
// @Summary     Delete user group.
// @Router      /api/v1/user/group [delete]
// @Tags        Users
// @Param       group_id query string true "group id required to delete the role"
// @Success     200 {string} string
// @Failure     500 {object} models.ErrorResponse
func deleteUserGroup(w http.ResponseWriter, r *http.Request) {

	gid := r.URL.Query().Get("group_id")
	if gid == "" {
		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("group id is required"), "badrequest"))
		return
	}
	userG, err := proLogic.GetUserGroup(models.UserGroupID(gid))
	if err != nil {
		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("failed to fetch group details"), "badrequest"))
		return
	}
	if userG.Default {
		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot delete default user group"), "badrequest"))
		return
	}
	err = proLogic.DeleteUserGroup(models.UserGroupID(gid))
	if err != nil {
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
		return
	}
	logic.LogEvent(&models.Event{
		Action: models.Delete,
		Source: models.Subject{
			ID:   r.Header.Get("user"),
			Name: r.Header.Get("user"),
			Type: models.UserSub,
		},
		TriggeredBy: r.Header.Get("user"),
		Target: models.Subject{
			ID:   userG.ID.String(),
			Name: userG.Name,
			Type: models.UserGroupSub,
		},
		Origin: models.Dashboard,
	})

	go func() {
		for networkID := range userG.NetworkRoles {
			acls, err := logic.ListAclsByNetwork(networkID)
			if err != nil {
				continue
			}

			for _, acl := range acls {
				var hasGroupSrc bool
				newAclSrc := make([]models.AclPolicyTag, 0)
				for _, src := range acl.Src {
					if src.ID == models.UserGroupAclID && src.Value == userG.ID.String() {
						hasGroupSrc = true
					} else {
						newAclSrc = append(newAclSrc, src)
					}
				}

				if hasGroupSrc {
					if len(newAclSrc) == 0 {
						// no other src exists, delete acl.
						_ = logic.DeleteAcl(acl)
					} else {
						// other sources exist, update acl.
						acl.Src = newAclSrc
						_ = logic.UpsertAcl(acl)
					}
				}
			}
		}
	}()

	go proLogic.UpdatesUserGwAccessOnGrpUpdates(userG.NetworkRoles, make(map[models.NetworkID]map[models.UserRoleID]struct{}))
	logic.ReturnSuccessResponseWithJson(w, r, nil, "deleted user group")
}

// @Summary     lists all user roles.
// @Router      /api/v1/user/roles [get]
// @Tags        Users
// @Param       role_id query string true "roleid required to get the role details"
// @Success     200 {object}  []models.UserRolePermissionTemplate
// @Failure     500 {object} models.ErrorResponse
func ListRoles(w http.ResponseWriter, r *http.Request) {
	platform := r.URL.Query().Get("platform")
	var roles []models.UserRolePermissionTemplate
	var err error
	if platform == "true" {
		roles, err = logic.ListPlatformRoles()
	} else {
		roles, err = proLogic.ListNetworkRoles()
	}
	if err != nil {
		logic.ReturnErrorResponse(w, r, models.ErrorResponse{
			Code:    http.StatusInternalServerError,
			Message: err.Error(),
		})
		return
	}

	logic.ReturnSuccessResponseWithJson(w, r, roles, "successfully fetched user roles permission templates")
}

// @Summary     Get user role permission template.
// @Router      /api/v1/user/role [get]
// @Tags        Users
// @Param       role_id query string true "roleid required to get the role details"
// @Success     200 {object} models.UserRolePermissionTemplate
// @Failure     500 {object} models.ErrorResponse
func getRole(w http.ResponseWriter, r *http.Request) {
	rid := r.URL.Query().Get("role_id")
	if rid == "" {
		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("role is required"), "badrequest"))
		return
	}
	role, err := logic.GetRole(models.UserRoleID(rid))
	if err != nil {
		logic.ReturnErrorResponse(w, r, models.ErrorResponse{
			Code:    http.StatusInternalServerError,
			Message: err.Error(),
		})
		return
	}
	logic.ReturnSuccessResponseWithJson(w, r, role, "successfully fetched user role permission templates")
}

// @Summary     Create user role permission template.
// @Router      /api/v1/user/role [post]
// @Tags        Users
// @Param       body body models.UserRolePermissionTemplate true "user role template"
// @Success     200 {object}  models.UserRolePermissionTemplate
// @Failure     500 {object} models.ErrorResponse
func createRole(w http.ResponseWriter, r *http.Request) {
	var userRole models.UserRolePermissionTemplate
	err := json.NewDecoder(r.Body).Decode(&userRole)
	if err != nil {
		slog.Error("error decoding request body", "error",
			err.Error())
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
		return
	}
	err = proLogic.ValidateCreateRoleReq(&userRole)
	if err != nil {
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
		return
	}
	userRole.Default = false
	userRole.GlobalLevelAccess = make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope)
	err = proLogic.CreateRole(userRole)
	if err != nil {
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
		return
	}
	logic.LogEvent(&models.Event{
		Action: models.Create,
		Source: models.Subject{
			ID:   r.Header.Get("user"),
			Name: r.Header.Get("user"),
			Type: models.UserSub,
		},
		TriggeredBy: r.Header.Get("user"),
		Target: models.Subject{
			ID:   userRole.ID.String(),
			Name: userRole.Name,
			Type: models.UserRoleSub,
		},
		Origin: models.ClientApp,
	})
	logic.ReturnSuccessResponseWithJson(w, r, userRole, "created user role")
}

// @Summary     Update user role permission template.
// @Router      /api/v1/user/role [put]
// @Tags        Users
// @Param       body body models.UserRolePermissionTemplate true "user role template"
// @Success     200 {object} models.UserRolePermissionTemplate
// @Failure     500 {object} models.ErrorResponse
func updateRole(w http.ResponseWriter, r *http.Request) {
	var userRole models.UserRolePermissionTemplate
	err := json.NewDecoder(r.Body).Decode(&userRole)
	if err != nil {
		slog.Error("error decoding request body", "error",
			err.Error())
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
		return
	}
	currRole, err := logic.GetRole(userRole.ID)
	if err != nil {
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
		return
	}
	err = proLogic.ValidateUpdateRoleReq(&userRole)
	if err != nil {
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
		return
	}
	userRole.GlobalLevelAccess = make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope)
	err = proLogic.UpdateRole(userRole)
	if err != nil {
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
		return
	}
	logic.LogEvent(&models.Event{
		Action: models.Update,
		Source: models.Subject{
			ID:   r.Header.Get("user"),
			Name: r.Header.Get("user"),
			Type: models.UserSub,
		},
		TriggeredBy: r.Header.Get("user"),
		Target: models.Subject{
			ID:   userRole.ID.String(),
			Name: userRole.Name,
			Type: models.UserRoleSub,
		},
		Diff: models.Diff{
			Old: currRole,
			New: userRole,
		},
		Origin: models.Dashboard,
	})
	// reset configs for service user
	go proLogic.UpdatesUserGwAccessOnRoleUpdates(currRole.NetworkLevelAccess, userRole.NetworkLevelAccess, string(userRole.NetworkID))
	logic.ReturnSuccessResponseWithJson(w, r, userRole, "updated user role")
}

// @Summary     Delete user role permission template.
// @Router      /api/v1/user/role [delete]
// @Tags        Users
// @Param       role_id query string true "roleid required to delete the role"
// @Success     200 {string} string
// @Failure     500 {object} models.ErrorResponse
func deleteRole(w http.ResponseWriter, r *http.Request) {

	rid := r.URL.Query().Get("role_id")
	if rid == "" {
		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("role is required"), "badrequest"))
		return
	}
	role, err := logic.GetRole(models.UserRoleID(rid))
	if err != nil {
		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("role is required"), "badrequest"))
		return
	}
	err = proLogic.DeleteRole(models.UserRoleID(rid), false)
	if err != nil {
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
		return
	}
	logic.LogEvent(&models.Event{
		Action: models.Delete,
		Source: models.Subject{
			ID:   r.Header.Get("user"),
			Name: r.Header.Get("user"),
			Type: models.UserSub,
		},
		TriggeredBy: r.Header.Get("user"),
		Target: models.Subject{
			ID:   role.ID.String(),
			Name: role.Name,
			Type: models.UserRoleSub,
		},
		Origin: models.Dashboard,
	})
	go proLogic.UpdatesUserGwAccessOnRoleUpdates(role.NetworkLevelAccess, make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope), role.NetworkID.String())
	logic.ReturnSuccessResponseWithJson(w, r, nil, "deleted user role")
}

// @Summary     Attach user to a remote access gateway
// @Router      /api/users/{username}/remote_access_gw/{remote_access_gateway_id} [post]
// @Tags        PRO
// @Accept      json
// @Produce     json
// @Param       username path string true "Username"
// @Param       remote_access_gateway_id path string true "Remote Access Gateway ID"
// @Success     200 {object} models.ReturnUser
// @Failure     400 {object} models.ErrorResponse
// @Failure     500 {object} models.ErrorResponse
func attachUserToRemoteAccessGw(w http.ResponseWriter, r *http.Request) {
	// set header.
	w.Header().Set("Content-Type", "application/json")

	var params = mux.Vars(r)
	username := params["username"]
	remoteGwID := params["remote_access_gateway_id"]
	if username == "" || remoteGwID == "" {
		logic.ReturnErrorResponse(
			w,
			r,
			logic.FormatError(
				errors.New("required params `username` and `remote_access_gateway_id`"),
				"badrequest",
			),
		)
		return
	}
	user, err := logic.GetUser(username)
	if err != nil {
		slog.Error("failed to fetch user: ", "username", username, "error", err.Error())
		logic.ReturnErrorResponse(
			w,
			r,
			logic.FormatError(
				fmt.Errorf("failed to fetch user %s, error: %v", username, err),
				"badrequest",
			),
		)
		return
	}
	if user.PlatformRoleID == models.AdminRole || user.PlatformRoleID == models.SuperAdminRole {
		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("superadmins/admins have access to all gateways"), "badrequest"))
		return
	}
	node, err := logic.GetNodeByID(remoteGwID)
	if err != nil {
		slog.Error("failed to fetch gateway node", "nodeID", remoteGwID, "error", err)
		logic.ReturnErrorResponse(
			w,
			r,
			logic.FormatError(
				fmt.Errorf("failed to fetch remote access gateway node, error: %v", err),
				"badrequest",
			),
		)
		return
	}
	if !node.IsIngressGateway {
		logic.ReturnErrorResponse(
			w,
			r,
			logic.FormatError(fmt.Errorf("node is not a remote access gateway"), "badrequest"),
		)
		return
	}
	if user.RemoteGwIDs == nil {
		user.RemoteGwIDs = make(map[string]struct{})
	}
	user.RemoteGwIDs[node.ID.String()] = struct{}{}
	err = logic.UpsertUser(*user)
	if err != nil {
		slog.Error("failed to update user's gateways", "user", username, "error", err)
		logic.ReturnErrorResponse(
			w,
			r,
			logic.FormatError(
				fmt.Errorf("failed to fetch remote access gateway node,error: %v", err),
				"badrequest",
			),
		)
		return
	}

	json.NewEncoder(w).Encode(logic.ToReturnUser(*user))
}

// @Summary     Remove user from a remote access gateway
// @Router      /api/users/{username}/remote_access_gw/{remote_access_gateway_id} [delete]
// @Tags        PRO
// @Accept      json
// @Produce     json
// @Param       username path string true "Username"
// @Param       remote_access_gateway_id path string true "Remote Access Gateway ID"
// @Success     200 {object} models.ReturnUser
// @Failure     400 {object} models.ErrorResponse
// @Failure     500 {object} models.ErrorResponse
func removeUserFromRemoteAccessGW(w http.ResponseWriter, r *http.Request) {
	// set header.
	w.Header().Set("Content-Type", "application/json")

	var params = mux.Vars(r)
	username := params["username"]
	remoteGwID := params["remote_access_gateway_id"]
	if username == "" || remoteGwID == "" {
		logic.ReturnErrorResponse(
			w,
			r,
			logic.FormatError(
				errors.New("required params `username` and `remote_access_gateway_id`"),
				"badrequest",
			),
		)
		return
	}
	user, err := logic.GetUser(username)
	if err != nil {
		logger.Log(0, username, "failed to fetch user: ", err.Error())
		logic.ReturnErrorResponse(
			w,
			r,
			logic.FormatError(
				fmt.Errorf("failed to fetch user %s, error: %v", username, err),
				"badrequest",
			),
		)
		return
	}
	delete(user.RemoteGwIDs, remoteGwID)
	go func(user models.User, remoteGwID string) {
		extclients, err := logic.GetAllExtClients()
		if err != nil {
			slog.Error("failed to fetch extclients", "error", err)
			return
		}
		for _, extclient := range extclients {
			if extclient.OwnerID == user.UserName && remoteGwID == extclient.IngressGatewayID {
				err = logic.DeleteExtClientAndCleanup(extclient)
				if err != nil {
					slog.Error("failed to delete extclient",
						"id", extclient.ClientID, "owner", user.UserName, "error", err)
				} else {
					if err := mq.PublishDeletedClientPeerUpdate(&extclient); err != nil {
						slog.Error("error setting ext peers: " + err.Error())
					}
				}
			}
		}
		if servercfg.IsDNSMode() {
			logic.SetDNS()
		}
	}(*user, remoteGwID)

	err = logic.UpsertUser(*user)
	if err != nil {
		slog.Error("failed to update user gateways", "user", username, "error", err)
		logic.ReturnErrorResponse(
			w,
			r,
			logic.FormatError(
				errors.New("failed to fetch remote access gaetway node "+err.Error()),
				"badrequest",
			),
		)
		return
	}
	json.NewEncoder(w).Encode(logic.ToReturnUser(*user))
}

// @Summary     Get Users Remote Access Gw Networks.
// @Router      /api/users/{username}/remote_access_gw [get]
// @Tags        Users
// @Param       username path string true "Username to fetch all the gateways with access"
// @Success     200 {object} map[string][]models.UserRemoteGws
// @Failure     500 {object} models.ErrorResponse
func getUserRemoteAccessNetworks(w http.ResponseWriter, r *http.Request) {
	// set header.
	w.Header().Set("Content-Type", "application/json")
	username := r.Header.Get("user")
	user, err := logic.GetUser(username)
	if err != nil {
		logger.Log(0, username, "failed to fetch user: ", err.Error())
		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch user %s, error: %v", username, err), "badrequest"))
		return
	}
	userGws := make(map[string][]models.UserRemoteGws)
	networks := []models.Network{}
	networkMap := make(map[string]struct{})
	userGwNodes := proLogic.GetUserRAGNodes(*user)
	for _, node := range userGwNodes {
		network, err := logic.GetNetwork(node.Network)
		if err != nil {
			slog.Error("failed to get node network", "error", err)
			continue
		}
		if _, ok := networkMap[network.NetID]; ok {
			continue
		}
		networkMap[network.NetID] = struct{}{}
		networks = append(networks, network)
	}

	slog.Debug("returned user gws", "user", username, "gws", userGws)
	logic.ReturnSuccessResponseWithJson(w, r, networks, "fetched user accessible networks")
}

// @Summary     Get Users Remote Access Gw Networks.
// @Router      /api/users/{username}/remote_access_gw [get]
// @Tags        Users
// @Param       username path string true "Username to fetch all the gateways with access"
// @Success     200 {object} map[string][]models.UserRemoteGws
// @Failure     500 {object} models.ErrorResponse
func getUserRemoteAccessNetworkGateways(w http.ResponseWriter, r *http.Request) {
	// set header.
	w.Header().Set("Content-Type", "application/json")
	var params = mux.Vars(r)
	username := r.Header.Get("user")
	user, err := logic.GetUser(username)
	if err != nil {
		logger.Log(0, username, "failed to fetch user: ", err.Error())
		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch user %s, error: %v", username, err), "badrequest"))
		return
	}
	network := params["network"]
	if network == "" {
		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("required params network"), "badrequest"))
		return
	}
	userGws := []models.UserRAGs{}

	userGwNodes := proLogic.GetUserRAGNodes(*user)
	for _, node := range userGwNodes {
		if node.Network != network {
			continue
		}

		host, err := logic.GetHost(node.HostID.String())
		if err != nil {
			continue
		}

		userGws = append(userGws, models.UserRAGs{
			GwID:              node.ID.String(),
			GWName:            host.Name,
			Network:           node.Network,
			IsInternetGateway: node.IsInternetGateway,
			Metadata:          node.Metadata,
		})

	}

	slog.Debug("returned user gws", "user", username, "gws", userGws)
	logic.ReturnSuccessResponseWithJson(w, r, userGws, "fetched user accessible gateways in network "+network)
}

// @Summary     Get Users Remote Access Gw Networks.
// @Router      /api/users/{username}/remote_access_gw [get]
// @Tags        Users
// @Param       username path string true "Username to fetch all the gateways with access"
// @Success     200 {object} map[string][]models.UserRemoteGws
// @Failure     500 {object} models.ErrorResponse
func getRemoteAccessGatewayConf(w http.ResponseWriter, r *http.Request) {
	// set header.
	w.Header().Set("Content-Type", "application/json")
	var params = mux.Vars(r)
	username := r.Header.Get("user")
	user, err := logic.GetUser(username)
	if err != nil {
		logger.Log(0, username, "failed to fetch user: ", err.Error())
		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch user %s, error: %v", username, err), "badrequest"))
		return
	}
	remoteGwID := params["access_point_id"]
	if remoteGwID == "" {
		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("required params access_point_id"), "badrequest"))
		return
	}
	var req models.UserRemoteGwsReq
	err = json.NewDecoder(r.Body).Decode(&req)
	if err != nil {
		slog.Error("error decoding request body: ", "error", err)
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
		return
	}

	userGwNodes := proLogic.GetUserRAGNodes(*user)
	if _, ok := userGwNodes[remoteGwID]; !ok {
		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("access denied"), "forbidden"))
		return
	}
	node, err := logic.GetNodeByID(remoteGwID)
	if err != nil {
		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch gw node %s, error: %v", remoteGwID, err), "badrequest"))
		return
	}
	host, err := logic.GetHost(node.HostID.String())
	if err != nil {
		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch gw host %s, error: %v", remoteGwID, err), "badrequest"))
		return
	}
	network, err := logic.GetNetwork(node.Network)
	if err != nil {
		slog.Error("failed to get node network", "error", err)
	}
	var userConf models.ExtClient
	allextClients, err := logic.GetAllExtClients()
	if err != nil {
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
		return
	}
	for _, extClient := range allextClients {
		if extClient.Network != network.NetID || extClient.IngressGatewayID != node.ID.String() {
			continue
		}
		if extClient.RemoteAccessClientID == req.RemoteAccessClientID && extClient.OwnerID == username {
			userConf = extClient
			userConf.AllowedIPs = logic.GetExtclientAllowedIPs(extClient)
		}
	}
	if userConf.ClientID == "" {
		// create a new conf
		userConf.OwnerID = user.UserName
		userConf.RemoteAccessClientID = req.RemoteAccessClientID
		userConf.IngressGatewayID = node.ID.String()

		// set extclient dns to ingressdns if extclient dns is not explicitly set
		if (userConf.DNS == "") && (node.IngressDNS != "") {
			userConf.DNS = node.IngressDNS
		}

		userConf.Network = node.Network
		host, err := logic.GetHost(node.HostID.String())
		if err != nil {
			logger.Log(0, r.Header.Get("user"),
				fmt.Sprintf("failed to get ingress gateway host for node [%s] info: %v", node.ID, err))
			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
			return
		}
		listenPort := logic.GetPeerListenPort(host)
		if host.EndpointIP.To4() == nil {
			userConf.IngressGatewayEndpoint = fmt.Sprintf("[%s]:%d", host.EndpointIPv6.String(), listenPort)
		} else {
			userConf.IngressGatewayEndpoint = fmt.Sprintf("%s:%d", host.EndpointIP.String(), listenPort)
		}
		userConf.Enabled = true
		parentNetwork, err := logic.GetNetwork(node.Network)
		if err == nil { // check if parent network default ACL is enabled (yes) or not (no)
			userConf.Enabled = parentNetwork.DefaultACL == "yes"
		}
		userConf.Tags = make(map[models.TagID]struct{})
		// userConf.Tags[models.TagID(fmt.Sprintf("%s.%s", userConf.Network,
		// 	models.RemoteAccessTagName))] = struct{}{}
		if err = logic.CreateExtClient(&userConf); err != nil {
			slog.Error(
				"failed to create extclient",
				"user",
				r.Header.Get("user"),
				"network",
				node.Network,
				"error",
				err,
			)
			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
			return
		}
	}
	userGw := models.UserRemoteGws{
		GwID:              node.ID.String(),
		GWName:            host.Name,
		Network:           node.Network,
		GwClient:          userConf,
		Connected:         true,
		IsInternetGateway: node.IsInternetGateway,
		GwPeerPublicKey:   host.PublicKey.String(),
		GwListenPort:      logic.GetPeerListenPort(host),
		Metadata:          node.Metadata,
		AllowedEndpoints:  getAllowedRagEndpoints(&node, host),
		NetworkAddresses:  []string{network.AddressRange, network.AddressRange6},
		DnsAddress:        node.IngressDNS,
		Addresses:         utils.NoEmptyStringToCsv(node.Address.String(), node.Address6.String()),
	}

	slog.Debug("returned user gw config", "user", user.UserName, "gws", userGw)
	logic.ReturnSuccessResponseWithJson(w, r, userGw, "fetched user config to gw "+remoteGwID)
}

// @Summary     Get Users Remote Access Gw.
// @Router      /api/users/{username}/remote_access_gw [get]
// @Tags        Users
// @Param       username path string true "Username to fetch all the gateways with access"
// @Success     200 {object} map[string][]models.UserRemoteGws
// @Failure     500 {object} models.ErrorResponse
func getUserRemoteAccessGwsV1(w http.ResponseWriter, r *http.Request) {
	// set header.
	w.Header().Set("Content-Type", "application/json")
	var params = mux.Vars(r)
	username := params["username"]
	if username == "" {
		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("required params username"), "badrequest"))
		return
	}
	user, err := logic.GetUser(username)
	if err != nil {
		logger.Log(0, username, "failed to fetch user: ", err.Error())
		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch user %s, error: %v", username, err), "badrequest"))
		return
	}
	deviceID := r.URL.Query().Get("device_id")
	remoteAccessClientID := r.URL.Query().Get("remote_access_clientid")
	var req models.UserRemoteGwsReq
	if remoteAccessClientID == "" {
		err := json.NewDecoder(r.Body).Decode(&req)
		if err != nil {
			slog.Error("error decoding request body: ", "error", err)
			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
			return
		}
	}
	reqFromMobile := r.URL.Query().Get("from_mobile") == "true"
	if req.RemoteAccessClientID == "" && remoteAccessClientID == "" {
		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("remote access client id cannot be empty"), "badrequest"))
		return
	}
	if req.RemoteAccessClientID == "" {
		req.RemoteAccessClientID = remoteAccessClientID
	}
	userGws := make(map[string][]models.UserRemoteGws)
	allextClients, err := logic.GetAllExtClients()
	if err != nil {
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
		return
	}
	userGwNodes := proLogic.GetUserRAGNodes(*user)

	userExtClients := make(map[string][]models.ExtClient)

	// group all extclients of the requesting user by ingress
	// gateway.
	for _, extClient := range allextClients {
		// filter our extclients that don't belong to this user.
		if extClient.OwnerID != username {
			continue
		}

		_, ok := userExtClients[extClient.IngressGatewayID]
		if !ok {
			userExtClients[extClient.IngressGatewayID] = []models.ExtClient{}
		}

		userExtClients[extClient.IngressGatewayID] = append(userExtClients[extClient.IngressGatewayID], extClient)
	}

	for ingressGatewayID, extClients := range userExtClients {
		node, ok := userGwNodes[ingressGatewayID]
		if !ok {
			continue
		}

		var gwClient models.ExtClient
		var found bool
		if deviceID != "" {
			for _, extClient := range extClients {
				if extClient.DeviceID == deviceID {
					gwClient = extClient
					found = true
					break
				}
			}
		}

		if !found {
			// TODO: prevent ip clashes.
			if len(extClients) > 0 {
				gwClient = extClients[0]
			}
		}

		host, err := logic.GetHost(node.HostID.String())
		if err != nil {
			continue
		}
		network, err := logic.GetNetwork(node.Network)
		if err != nil {
			slog.Error("failed to get node network", "error", err)
			continue
		}
		nodesWithStatus := logic.AddStatusToNodes([]models.Node{node}, false)
		if len(nodesWithStatus) > 0 {
			node = nodesWithStatus[0]
		}

		gws := userGws[node.Network]
		if gwClient.DNS == "" {
			gwClient.DNS = node.IngressDNS
		}

		gwClient.IngressGatewayEndpoint = utils.GetExtClientEndpoint(
			host.EndpointIP,
			host.EndpointIPv6,
			logic.GetPeerListenPort(host),
		)
		gwClient.AllowedIPs = logic.GetExtclientAllowedIPs(gwClient)
		gws = append(gws, models.UserRemoteGws{
			GwID:              node.ID.String(),
			GWName:            host.Name,
			Network:           node.Network,
			GwClient:          gwClient,
			Connected:         true,
			IsInternetGateway: node.IsInternetGateway,
			GwPeerPublicKey:   host.PublicKey.String(),
			GwListenPort:      logic.GetPeerListenPort(host),
			Metadata:          node.Metadata,
			AllowedEndpoints:  getAllowedRagEndpoints(&node, host),
			NetworkAddresses:  []string{network.AddressRange, network.AddressRange6},
			Status:            node.Status,
			DnsAddress:        node.IngressDNS,
			Addresses:         utils.NoEmptyStringToCsv(node.Address.String(), node.Address6.String()),
		})
		userGws[node.Network] = gws
		delete(userGwNodes, node.ID.String())
	}

	// add remaining gw nodes to resp
	for gwID := range userGwNodes {
		node, err := logic.GetNodeByID(gwID)
		if err != nil {
			continue
		}
		if !node.IsIngressGateway {
			continue
		}
		if node.PendingDelete {
			continue
		}
		host, err := logic.GetHost(node.HostID.String())
		if err != nil {
			continue
		}
		nodesWithStatus := logic.AddStatusToNodes([]models.Node{node}, false)
		if len(nodesWithStatus) > 0 {
			node = nodesWithStatus[0]
		}
		network, err := logic.GetNetwork(node.Network)
		if err != nil {
			slog.Error("failed to get node network", "error", err)
		}
		gws := userGws[node.Network]

		gws = append(gws, models.UserRemoteGws{
			GwID:              node.ID.String(),
			GWName:            host.Name,
			Network:           node.Network,
			IsInternetGateway: node.IsInternetGateway,
			GwPeerPublicKey:   host.PublicKey.String(),
			GwListenPort:      logic.GetPeerListenPort(host),
			Metadata:          node.Metadata,
			AllowedEndpoints:  getAllowedRagEndpoints(&node, host),
			NetworkAddresses:  []string{network.AddressRange, network.AddressRange6},
			Status:            node.Status,
			DnsAddress:        node.IngressDNS,
			Addresses:         utils.NoEmptyStringToCsv(node.Address.String(), node.Address6.String()),
		})
		userGws[node.Network] = gws
	}

	if reqFromMobile {
		// send resp in array format
		userGwsArr := []models.UserRemoteGws{}
		for _, userGwI := range userGws {
			userGwsArr = append(userGwsArr, userGwI...)
		}
		logic.ReturnSuccessResponseWithJson(w, r, userGwsArr, "fetched gateways for user"+username)
		return
	}
	slog.Debug("returned user gws", "user", username, "gws", userGws)
	w.WriteHeader(http.StatusOK)
	json.NewEncoder(w).Encode(userGws)
}

// @Summary     List users attached to an remote access gateway
// @Router      /api/nodes/{network}/{nodeid}/ingress/users [get]
// @Tags        PRO
// @Accept      json
// @Produce     json
// @Param       ingress_id path string true "Ingress Gateway ID"
// @Success     200 {array} models.IngressGwUsers
// @Failure     400 {object} models.ErrorResponse
// @Failure     500 {object} models.ErrorResponse
func ingressGatewayUsers(w http.ResponseWriter, r *http.Request) {
	w.Header().Set("Content-Type", "application/json")
	var params = mux.Vars(r)
	ingressID := params["ingress_id"]
	node, err := logic.GetNodeByID(ingressID)
	if err != nil {
		slog.Error("failed to get ingress node", "error", err)
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
		return
	}
	gwUsers, err := logic.GetIngressGwUsers(node)
	if err != nil {
		slog.Error(
			"failed to get users on ingress gateway",
			"nodeid",
			ingressID,
			"network",
			node.Network,
			"user",
			r.Header.Get("user"),
			"error",
			err,
		)
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
		return
	}
	w.WriteHeader(http.StatusOK)
	json.NewEncoder(w).Encode(gwUsers)
}

func getAllowedRagEndpoints(ragNode *models.Node, ragHost *models.Host) []string {
	endpoints := []string{}
	if len(ragHost.EndpointIP) > 0 {
		endpoints = append(endpoints, ragHost.EndpointIP.String())
	}
	if len(ragHost.EndpointIPv6) > 0 {
		endpoints = append(endpoints, ragHost.EndpointIPv6.String())
	}
	if servercfg.IsPro {
		for _, ip := range ragNode.AdditionalRagIps {
			endpoints = append(endpoints, ip.String())
		}
	}
	return endpoints
}

// @Summary     Get all pending users
// @Router      /api/users_pending [get]
// @Tags        Users
// @Success     200 {array} models.User
// @Failure     500 {object} models.ErrorResponse
func getPendingUsers(w http.ResponseWriter, r *http.Request) {
	// set header.
	w.Header().Set("Content-Type", "application/json")

	users, err := logic.ListPendingReturnUsers()
	if err != nil {
		logger.Log(0, "failed to fetch users: ", err.Error())
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
		return
	}

	logic.SortUsers(users[:])
	logger.Log(2, r.Header.Get("user"), "fetched pending users")
	json.NewEncoder(w).Encode(users)
}

// @Summary     Approve a pending user
// @Router      /api/users_pending/user/{username} [post]
// @Tags        Users
// @Param       username path string true "Username of the pending user to approve"
// @Success     200 {string} string
// @Failure     500 {object} models.ErrorResponse
func approvePendingUser(w http.ResponseWriter, r *http.Request) {
	// set header.
	w.Header().Set("Content-Type", "application/json")
	var params = mux.Vars(r)
	username := params["username"]
	users, err := logic.ListPendingUsers()

	if err != nil {
		logger.Log(0, "failed to fetch users: ", err.Error())
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
		return
	}
	for _, user := range users {
		if user.UserName == username {
			var newPass, fetchErr = logic.FetchPassValue("")
			if fetchErr != nil {
				logic.ReturnErrorResponse(w, r, logic.FormatError(fetchErr, "internal"))
				return
			}
			if err = logic.CreateUser(&models.User{
				UserName:                   user.UserName,
				ExternalIdentityProviderID: user.ExternalIdentityProviderID,
				Password:                   newPass,
				AuthType:                   user.AuthType,
				PlatformRoleID:             models.ServiceUser,
			}); err != nil {
				logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to create user: %s", err), "internal"))
				return
			}
			err = logic.DeletePendingUser(username)
			if err != nil {
				logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to delete pending user: %s", err), "internal"))
				return
			}
			break
		}
	}
	logic.LogEvent(&models.Event{
		Action: models.Create,
		Source: models.Subject{
			ID:   r.Header.Get("user"),
			Name: r.Header.Get("user"),
			Type: models.UserSub,
		},
		TriggeredBy: r.Header.Get("user"),
		Target: models.Subject{
			ID:   username,
			Name: username,
			Type: models.PendingUserSub,
		},
		Origin: models.Dashboard,
	})
	logic.ReturnSuccessResponse(w, r, "approved "+username)
}

// @Summary     Delete a pending user
// @Router      /api/users_pending/user/{username} [delete]
// @Tags        Users
// @Param       username path string true "Username of the pending user to delete"
// @Success     200 {string} string
// @Failure     500 {object} models.ErrorResponse
func deletePendingUser(w http.ResponseWriter, r *http.Request) {
	// set header.
	w.Header().Set("Content-Type", "application/json")
	var params = mux.Vars(r)
	username := params["username"]
	users, err := logic.ListPendingReturnUsers()

	if err != nil {
		logger.Log(0, "failed to fetch users: ", err.Error())
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
		return
	}
	for _, user := range users {
		if user.UserName == username {
			err = logic.DeletePendingUser(username)
			if err != nil {
				logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to delete pending user: %s", err), "internal"))
				return
			}
			break
		}
	}
	logic.LogEvent(&models.Event{
		Action: models.Delete,
		Source: models.Subject{
			ID:   r.Header.Get("user"),
			Name: r.Header.Get("user"),
			Type: models.UserSub,
		},
		TriggeredBy: r.Header.Get("user"),
		Target: models.Subject{
			ID:   username,
			Name: username,
			Type: models.PendingUserSub,
		},
		Origin: models.Dashboard,
	})
	logic.ReturnSuccessResponse(w, r, "deleted pending "+username)
}

// @Summary     Delete all pending users
// @Router      /api/users_pending [delete]
// @Tags        Users
// @Success     200 {string} string
// @Failure     500 {object} models.ErrorResponse
func deleteAllPendingUsers(w http.ResponseWriter, r *http.Request) {
	// set header.
	err := database.DeleteAllRecords(database.PENDING_USERS_TABLE_NAME)
	if err != nil {
		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("failed to delete all pending users "+err.Error()), "internal"))
		return
	}
	logic.LogEvent(&models.Event{
		Action: models.DeleteAll,
		Source: models.Subject{
			ID:   r.Header.Get("user"),
			Name: r.Header.Get("user"),
			Type: models.UserSub,
		},
		TriggeredBy: r.Header.Get("user"),
		Target: models.Subject{
			ID:   r.Header.Get("user"),
			Name: r.Header.Get("user"),
			Type: models.PendingUserSub,
		},
		Origin: models.Dashboard,
	})
	logic.ReturnSuccessResponse(w, r, "cleared all pending users")
}

// @Summary     Sync users and groups from idp.
// @Router      /api/idp/sync [post]
// @Tags        IDP
// @Success     200 {object} models.SuccessResponse
func syncIDP(w http.ResponseWriter, r *http.Request) {
	go func() {
		err := proAuth.SyncFromIDP()
		if err != nil {
			logger.Log(0, "failed to sync from idp: ", err.Error())
		} else {
			logger.Log(0, "sync from idp complete")
		}
	}()

	logic.ReturnSuccessResponse(w, r, "starting sync from idp")
}

// @Summary     Test IDP Sync Credentials.
// @Router      /api/idp/sync/test [post]
// @Tags        IDP
// @Success     200 {object} models.SuccessResponse
// @Failure     400 {object} models.ErrorResponse
func testIDPSync(w http.ResponseWriter, r *http.Request) {
	var req models.IDPSyncTestRequest
	err := json.NewDecoder(r.Body).Decode(&req)
	if err != nil {
		err = fmt.Errorf("failed to decode request body: %v", err)
		logger.Log(0, err.Error())
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
		return
	}

	var idpClient idp.Client
	switch req.AuthProvider {
	case "google":
		idpClient, err = google.NewGoogleWorkspaceClient(req.GoogleAdminEmail, req.GoogleSACredsJson)
		if err != nil {
			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
			return
		}
	case "azure-ad":
		idpClient = azure.NewAzureEntraIDClient(req.ClientID, req.ClientSecret, req.AzureTenantID)
	case "okta":
		idpClient, err = okta.NewOktaClient(req.OktaOrgURL, req.OktaAPIToken)
		if err != nil {
			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
			return
		}
	default:
		err = fmt.Errorf("invalid auth provider: %s", req.AuthProvider)
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
		return
	}

	err = idpClient.Verify()
	if err != nil {
		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
		return
	}

	logic.ReturnSuccessResponse(w, r, "idp sync test successful")
}

// @Summary     Gets idp sync status.
// @Router      /api/idp/sync/status [get]
// @Tags        IDP
// @Success     200 {object} models.SuccessResponse
func getIDPSyncStatus(w http.ResponseWriter, r *http.Request) {
	logic.ReturnSuccessResponseWithJson(w, r, proAuth.GetIDPSyncStatus(), "idp sync status retrieved")
}

// @Summary     Remove idp integration.
// @Router      /api/idp [delete]
// @Tags        IDP
// @Success     200 {object} models.SuccessResponse
// @Failure     500 {object} models.ErrorResponse
func removeIDPIntegration(w http.ResponseWriter, r *http.Request) {
	superAdmin, err := logic.GetSuperAdmin()
	if err != nil {
		logic.ReturnErrorResponse(
			w,
			r,
			logic.FormatError(fmt.Errorf("failed to get superadmin: %v", err), "internal"),
		)
		return
	}

	if superAdmin.AuthType == models.OAuth {
		logic.ReturnErrorResponse(
			w,
			r,
			logic.FormatError(fmt.Errorf("cannot remove idp integration with superadmin oauth user"), "badrequest"),
		)
		return
	}

	settings := logic.GetServerSettings()
	settings.AuthProvider = ""
	settings.OIDCIssuer = ""
	settings.ClientID = ""
	settings.ClientSecret = ""
	settings.SyncEnabled = false
	settings.GoogleAdminEmail = ""
	settings.GoogleSACredsJson = ""
	settings.AzureTenant = ""
	settings.UserFilters = nil
	settings.GroupFilters = nil

	err = logic.UpsertServerSettings(settings)
	if err != nil {
		logic.ReturnErrorResponse(
			w,
			r,
			logic.FormatError(fmt.Errorf("failed to remove idp integration: %v", err), "internal"),
		)
		return
	}

	proAuth.ResetAuthProvider()
	proAuth.ResetIDPSyncHook()

	go func() {
		err := proAuth.SyncFromIDP()
		if err != nil {
			logger.Log(0, "failed to sync from idp: ", err.Error())
		} else {
			logger.Log(0, "sync from idp complete")
		}
	}()

	logic.ReturnSuccessResponse(w, r, "removed idp integration successfully")
}