Kezdőlap Felfedezés Súgó
Bejelentkezés
golang
/
netmaker
tükrözi: https://github.com/gravitl/netmaker
2
0
Másolás 0
Fájlok Problémák 0 Wiki
Fa: a39da31fa6
Branch-ok Tag-ek
netmaker
/
controllers
/
user.go

user.go 25 KB
Előzmények Nyers

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736 
  1. package controller
    2. 

  2. 

  3. import (
    4. 

  4. 	"encoding/json"
    5. 

  5. 	"errors"
    6. 

  6. 	"fmt"
    7. 

  7. 	"net/http"
    8. 

  8. 	"net/url"
    9. 

  9. 	"reflect"
    10. 

  10. 

  11. 	"github.com/gorilla/mux"
    12. 

  12. 	"github.com/gorilla/websocket"
    13. 

  13. 	"github.com/gravitl/netmaker/auth"
    14. 

  14. 	"github.com/gravitl/netmaker/logger"
    15. 

  15. 	"github.com/gravitl/netmaker/logic"
    16. 

  16. 	"github.com/gravitl/netmaker/models"
    17. 

  17. 	"github.com/gravitl/netmaker/mq"
    18. 

  18. 	"github.com/gravitl/netmaker/servercfg"
    19. 

  19. 	"golang.org/x/exp/slog"
    20. 

  20. )
    21. 

  21. 

  22. var (
    23. 

  23. 	upgrader = websocket.Upgrader{}
    24. 

  24. )
    25. 

  25. 

  26. var ListRoles = listRoles
    27. 

  27. 

  28. func userHandlers(r *mux.Router) {
    29. 

  29. 	r.HandleFunc("/api/users/adm/hassuperadmin", hasSuperAdmin).Methods(http.MethodGet)
    30. 

  30. 	r.HandleFunc("/api/users/adm/createsuperadmin", createSuperAdmin).Methods(http.MethodPost)
    31. 

  31. 	r.HandleFunc("/api/users/adm/transfersuperadmin/{username}", logic.SecurityCheck(true, http.HandlerFunc(transferSuperAdmin))).
    32. 

  32. 		Methods(http.MethodPost)
    33. 

  33. 	r.HandleFunc("/api/users/adm/authenticate", authenticateUser).Methods(http.MethodPost)
    34. 

  34. 	r.HandleFunc("/api/users/{username}", logic.SecurityCheck(true, http.HandlerFunc(updateUser))).Methods(http.MethodPut)
    35. 

  35. 	r.HandleFunc("/api/users/{username}", logic.SecurityCheck(true, checkFreeTierLimits(limitChoiceUsers, http.HandlerFunc(createUser)))).Methods(http.MethodPost)
    36. 

  36. 	r.HandleFunc("/api/users/{username}", logic.SecurityCheck(true, http.HandlerFunc(deleteUser))).Methods(http.MethodDelete)
    37. 

  37. 	r.HandleFunc("/api/users/{username}", logic.SecurityCheck(false, logic.ContinueIfUserMatch(http.HandlerFunc(getUser)))).Methods(http.MethodGet)
    38. 

  38. 	r.HandleFunc("/api/v1/users", logic.SecurityCheck(false, logic.ContinueIfUserMatch(http.HandlerFunc(getUserV1)))).Methods(http.MethodGet)
    39. 

  39. 	r.HandleFunc("/api/users", logic.SecurityCheck(true, http.HandlerFunc(getUsers))).Methods(http.MethodGet)
    40. 

  40. 	r.HandleFunc("/api/v1/users/roles", logic.SecurityCheck(true, http.HandlerFunc(ListRoles))).Methods(http.MethodGet)
    41. 

  41. 

  42. }
    43. 

  43. 

  44. // @Summary     Authenticate a user to retrieve an authorization token
    45. 

  45. // @Router      /api/users/adm/authenticate [post]
    46. 

  46. // @Tags        Auth
    47. 

  47. // @Accept      json
    48. 

  48. // @Param       body body models.UserAuthParams true "Authentication parameters"
    49. 

  49. // @Success     200 {object} models.SuccessResponse
    50. 

  50. // @Failure     400 {object} models.ErrorResponse
    51. 

  51. // @Failure     401 {object} models.ErrorResponse
    52. 

  52. // @Failure     500 {object} models.ErrorResponse
    53. 

  53. func authenticateUser(response http.ResponseWriter, request *http.Request) {
    54. 

  54. 

  55. 	// Auth request consists of Mac Address and Password (from node that is authorizing
    56. 

  56. 	// in case of Master, auth is ignored and mac is set to "mastermac"
    57. 

  57. 	var authRequest models.UserAuthParams
    58. 

  58. 	var errorResponse = models.ErrorResponse{
    59. 

  59. 		Code: http.StatusInternalServerError, Message: "W1R3: It's not you it's me.",
    60. 

  60. 	}
    61. 

  61. 

  62. 	if !servercfg.IsBasicAuthEnabled() {
    63. 

  63. 		logic.ReturnErrorResponse(
    64. 

  64. 			response,
    65. 

  65. 			request,
    66. 

  66. 			logic.FormatError(fmt.Errorf("basic auth is disabled"), "badrequest"),
    67. 

  67. 		)
    68. 

  68. 		return
    69. 

  69. 	}
    70. 

  70. 

  71. 	decoder := json.NewDecoder(request.Body)
    72. 

  72. 	decoderErr := decoder.Decode(&authRequest)
    73. 

  73. 	defer request.Body.Close()
    74. 

  74. 	if decoderErr != nil {
    75. 

  75. 		logger.Log(0, "error decoding request body: ",
    76. 

  76. 			decoderErr.Error())
    77. 

  77. 		logic.ReturnErrorResponse(response, request, errorResponse)
    78. 

  78. 		return
    79. 

  79. 	}
    80. 

  80. 	if val := request.Header.Get("From-Ui"); val == "true" {
    81. 

  81. 		// request came from UI, if normal user block Login
    82. 

  82. 		user, err := logic.GetUser(authRequest.UserName)
    83. 

  83. 		if err != nil {
    84. 

  84. 			logger.Log(0, authRequest.UserName, "user validation failed: ",
    85. 

  85. 				err.Error())
    86. 

  86. 			logic.ReturnErrorResponse(response, request, logic.FormatError(err, "unauthorized"))
    87. 

  87. 			return
    88. 

  88. 		}
    89. 

  89. 		role, err := logic.GetRole(user.PlatformRoleID)
    90. 

  90. 		if err != nil {
    91. 

  91. 			logic.ReturnErrorResponse(response, request, logic.FormatError(errors.New("access denied to dashboard"), "unauthorized"))
    92. 

  92. 			return
    93. 

  93. 		}
    94. 

  94. 		if role.DenyDashboardAccess {
    95. 

  95. 			logic.ReturnErrorResponse(response, request, logic.FormatError(errors.New("access denied to dashboard"), "unauthorized"))
    96. 

  96. 			return
    97. 

  97. 		}
    98. 

  98. 	}
    99. 

  99. 	user, err := logic.GetUser(authRequest.UserName)
    100. 

  100. 	if err != nil {
    101. 

  101. 		logic.ReturnErrorResponse(response, request, logic.FormatError(err, "unauthorized"))
    102. 

  102. 		return
    103. 

  103. 	}
    104. 

  104. 	if logic.IsOauthUser(user) == nil {
    105. 

  105. 		logic.ReturnErrorResponse(response, request, logic.FormatError(errors.New("user is registered via SSO"), "badrequest"))
    106. 

  106. 		return
    107. 

  107. 	}
    108. 

  108. 	username := authRequest.UserName
    109. 

  109. 	jwt, err := logic.VerifyAuthRequest(authRequest)
    110. 

  110. 	if err != nil {
    111. 

  111. 		logger.Log(0, username, "user validation failed: ",
    112. 

  112. 			err.Error())
    113. 

  113. 		logic.ReturnErrorResponse(response, request, logic.FormatError(err, "badrequest"))
    114. 

  114. 		return
    115. 

  115. 	}
    116. 

  116. 

  117. 	if jwt == "" {
    118. 

  118. 		// very unlikely that err is !nil and no jwt returned, but handle it anyways.
    119. 

  119. 		logger.Log(0, username, "jwt token is empty")
    120. 

  120. 		logic.ReturnErrorResponse(
    121. 

  121. 			response,
    122. 

  122. 			request,
    123. 

  123. 			logic.FormatError(errors.New("no token returned"), "internal"),
    124. 

  124. 		)
    125. 

  125. 		return
    126. 

  126. 	}
    127. 

  127. 

  128. 	var successResponse = models.SuccessResponse{
    129. 

  129. 		Code:    http.StatusOK,
    130. 

  130. 		Message: "W1R3: Device " + username + " Authorized",
    131. 

  131. 		Response: models.SuccessfulUserLoginResponse{
    132. 

  132. 			AuthToken: jwt,
    133. 

  133. 			UserName:  username,
    134. 

  134. 		},
    135. 

  135. 	}
    136. 

  136. 	// Send back the JWT
    137. 

  137. 	successJSONResponse, jsonError := json.Marshal(successResponse)
    138. 

  138. 	if jsonError != nil {
    139. 

  139. 		logger.Log(0, username,
    140. 

  140. 			"error marshalling resp: ", jsonError.Error())
    141. 

  141. 		logic.ReturnErrorResponse(response, request, errorResponse)
    142. 

  142. 		return
    143. 

  143. 	}
    144. 

  144. 	logger.Log(2, username, "was authenticated")
    145. 

  145. 	response.Header().Set("Content-Type", "application/json")
    146. 

  146. 	response.Write(successJSONResponse)
    147. 

  147. 

  148. 	go func() {
    149. 

  149. 		if servercfg.IsPro && servercfg.GetRacAutoDisable() {
    150. 

  150. 			// enable all associeated clients for the user
    151. 

  151. 			clients, err := logic.GetAllExtClients()
    152. 

  152. 			if err != nil {
    153. 

  153. 				slog.Error("error getting clients: ", "error", err)
    154. 

  154. 				return
    155. 

  155. 			}
    156. 

  156. 			for _, client := range clients {
    157. 

  157. 				if client.OwnerID == username && !client.Enabled {
    158. 

  158. 					slog.Info(
    159. 

  159. 						fmt.Sprintf(
    160. 

  160. 							"enabling ext client %s for user %s due to RAC autodisabling feature",
    161. 

  161. 							client.ClientID,
    162. 

  162. 							client.OwnerID,
    163. 

  163. 						),
    164. 

  164. 					)
    165. 

  165. 					if newClient, err := logic.ToggleExtClientConnectivity(&client, true); err != nil {
    166. 

  166. 						slog.Error(
    167. 

  167. 							"error enabling ext client in RAC autodisable hook",
    168. 

  168. 							"error",
    169. 

  169. 							err,
    170. 

  170. 						)
    171. 

  171. 						continue // dont return but try for other clients
    172. 

  172. 					} else {
    173. 

  173. 						// publish peer update to ingress gateway
    174. 

  174. 						if ingressNode, err := logic.GetNodeByID(newClient.IngressGatewayID); err == nil {
    175. 

  175. 							if err = mq.PublishPeerUpdate(false); err != nil {
    176. 

  176. 								slog.Error("error updating ext clients on", "ingress", ingressNode.ID.String(), "err", err.Error())
    177. 

  177. 							}
    178. 

  178. 						}
    179. 

  179. 					}
    180. 

  180. 				}
    181. 

  181. 			}
    182. 

  182. 		}
    183. 

  183. 	}()
    184. 

  184. }
    185. 

  185. 

  186. // @Summary     Check if the server has a super admin
    187. 

  187. // @Router      /api/users/adm/hassuperadmin [get]
    188. 

  188. // @Tags        Users
    189. 

  189. // @Success     200 {object} bool
    190. 

  190. // @Failure     500 {object} models.ErrorResponse
    191. 

  191. func hasSuperAdmin(w http.ResponseWriter, r *http.Request) {
    192. 

  192. 

  193. 	w.Header().Set("Content-Type", "application/json")
    194. 

  194. 

  195. 	hasSuperAdmin, err := logic.HasSuperAdmin()
    196. 

  196. 	if err != nil {
    197. 

  197. 		logger.Log(0, "failed to check for admin: ", err.Error())
    198. 

  198. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    199. 

  199. 		return
    200. 

  200. 	}
    201. 

  201. 

  202. 	json.NewEncoder(w).Encode(hasSuperAdmin)
    203. 

  203. 

  204. }
    205. 

  205. 

  206. // @Summary     Get an individual user
    207. 

  207. // @Router      /api/users/{username} [get]
    208. 

  208. // @Tags        Users
    209. 

  209. // @Param       username path string true "Username of the user to fetch"
    210. 

  210. // @Success     200 {object} models.User
    211. 

  211. // @Failure     500 {object} models.ErrorResponse
    212. 

  212. func getUser(w http.ResponseWriter, r *http.Request) {
    213. 

  213. 	// set header.
    214. 

  214. 	w.Header().Set("Content-Type", "application/json")
    215. 

  215. 

  216. 	var params = mux.Vars(r)
    217. 

  217. 	usernameFetched := params["username"]
    218. 

  218. 	user, err := logic.GetReturnUser(usernameFetched)
    219. 

  219. 

  220. 	if err != nil {
    221. 

  221. 		logger.Log(0, usernameFetched, "failed to fetch user: ", err.Error())
    222. 

  222. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    223. 

  223. 		return
    224. 

  224. 	}
    225. 

  225. 	logger.Log(2, r.Header.Get("user"), "fetched user", usernameFetched)
    226. 

  226. 	json.NewEncoder(w).Encode(user)
    227. 

  227. }
    228. 

  228. 

  229. // swagger:route GET /api/v1/users user getUserV1
    230. 

  230. //
    231. 

  231. // Get an individual user with role info.
    232. 

  232. //
    233. 

  233. //			Schemes: https
    234. 

  234. //
    235. 

  235. //			Security:
    236. 

  236. //	  		oauth
    237. 

  237. //
    238. 

  238. //			Responses:
    239. 

  239. //				200: ReturnUserWithRolesAndGroups
    240. 

  240. func getUserV1(w http.ResponseWriter, r *http.Request) {
    241. 

  241. 	// set header.
    242. 

  242. 	w.Header().Set("Content-Type", "application/json")
    243. 

  243. 	usernameFetched, _ := url.QueryUnescape(r.URL.Query().Get("username"))
    244. 

  244. 	if usernameFetched == "" {
    245. 

  245. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("username is required"), "badrequest"))
    246. 

  246. 		return
    247. 

  247. 	}
    248. 

  248. 	user, err := logic.GetReturnUser(usernameFetched)
    249. 

  249. 	if err != nil {
    250. 

  250. 		logger.Log(0, usernameFetched, "failed to fetch user: ", err.Error())
    251. 

  251. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    252. 

  252. 		return
    253. 

  253. 	}
    254. 

  254. 	userRoleTemplate, err := logic.GetRole(user.PlatformRoleID)
    255. 

  255. 	if err != nil {
    256. 

  256. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    257. 

  257. 		return
    258. 

  258. 	}
    259. 

  259. 	resp := models.ReturnUserWithRolesAndGroups{
    260. 

  260. 		ReturnUser:   user,
    261. 

  261. 		PlatformRole: userRoleTemplate,
    262. 

  262. 	}
    263. 

  263. 	logger.Log(2, r.Header.Get("user"), "fetched user", usernameFetched)
    264. 

  264. 	logic.ReturnSuccessResponseWithJson(w, r, resp, "fetched user with role info")
    265. 

  265. }
    266. 

  266. 

  267. // swagger:route GET /api/users user getUsers
    268. 

  268. //
    269. 

  269. // Get all users.
    270. 

  270. //
    271. 

  271. //			Schemes: https
    272. 

  272. //
    273. 

  273. //			Security:
    274. 

  274. //	  		oauth
    275. 

  275. //
    276. 

  276. //			Responses:
    277. 

  277. //				200: userBodyResponse
    278. 

  278. func getUsers(w http.ResponseWriter, r *http.Request) {
    279. 

  279. 	// set header.
    280. 

  280. 	w.Header().Set("Content-Type", "application/json")
    281. 

  281. 

  282. 	users, err := logic.GetUsers()
    283. 

  283. 

  284. 	if err != nil {
    285. 

  285. 		logger.Log(0, "failed to fetch users: ", err.Error())
    286. 

  286. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    287. 

  287. 		return
    288. 

  288. 	}
    289. 

  289. 

  290. 	logic.SortUsers(users[:])
    291. 

  291. 	logger.Log(2, r.Header.Get("user"), "fetched users")
    292. 

  292. 	json.NewEncoder(w).Encode(users)
    293. 

  293. }
    294. 

  294. 

  295. // @Summary     Create a super admin
    296. 

  296. // @Router      /api/users/adm/createsuperadmin [post]
    297. 

  297. // @Tags        Users
    298. 

  298. // @Param       body body models.User true "User details"
    299. 

  299. // @Success     200 {object} models.User
    300. 

  300. // @Failure     400 {object} models.ErrorResponse
    301. 

  301. // @Failure     500 {object} models.ErrorResponse
    302. 

  302. func createSuperAdmin(w http.ResponseWriter, r *http.Request) {
    303. 

  303. 	w.Header().Set("Content-Type", "application/json")
    304. 

  304. 

  305. 	var u models.User
    306. 

  306. 

  307. 	err := json.NewDecoder(r.Body).Decode(&u)
    308. 

  308. 	if err != nil {
    309. 

  309. 		slog.Error("error decoding request body", "error", err.Error())
    310. 

  310. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    311. 

  311. 		return
    312. 

  312. 	}
    313. 

  313. 

  314. 	if !servercfg.IsBasicAuthEnabled() {
    315. 

  315. 		logic.ReturnErrorResponse(
    316. 

  316. 			w,
    317. 

  317. 			r,
    318. 

  318. 			logic.FormatError(fmt.Errorf("basic auth is disabled"), "badrequest"),
    319. 

  319. 		)
    320. 

  320. 		return
    321. 

  321. 	}
    322. 

  322. 

  323. 	err = logic.CreateSuperAdmin(&u)
    324. 

  324. 	if err != nil {
    325. 

  325. 		slog.Error("failed to create admin", "error", err.Error())
    326. 

  326. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    327. 

  327. 		return
    328. 

  328. 	}
    329. 

  329. 	logger.Log(1, u.UserName, "was made a super admin")
    330. 

  330. 	json.NewEncoder(w).Encode(logic.ToReturnUser(u))
    331. 

  331. }
    332. 

  332. 

  333. // @Summary     Transfer super admin role to another admin user
    334. 

  334. // @Router      /api/users/adm/transfersuperadmin/{username} [post]
    335. 

  335. // @Tags        Users
    336. 

  336. // @Param       username path string true "Username of the user to transfer super admin role"
    337. 

  337. // @Success     200 {object} models.User
    338. 

  338. // @Failure     403 {object} models.ErrorResponse
    339. 

  339. // @Failure     500 {object} models.ErrorResponse
    340. 

  340. func transferSuperAdmin(w http.ResponseWriter, r *http.Request) {
    341. 

  341. 	w.Header().Set("Content-Type", "application/json")
    342. 

  342. 	caller, err := logic.GetUser(r.Header.Get("user"))
    343. 

  343. 	if err != nil {
    344. 

  344. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    345. 

  345. 	}
    346. 

  346. 	if caller.PlatformRoleID != models.SuperAdminRole {
    347. 

  347. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("only superadmin can assign the superadmin role to another user"), "forbidden"))
    348. 

  348. 		return
    349. 

  349. 	}
    350. 

  350. 	var params = mux.Vars(r)
    351. 

  351. 	username := params["username"]
    352. 

  352. 	u, err := logic.GetUser(username)
    353. 

  353. 	if err != nil {
    354. 

  354. 		slog.Error("error getting user", "user", u.UserName, "error", err.Error())
    355. 

  355. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    356. 

  356. 		return
    357. 

  357. 	}
    358. 

  358. 	if u.PlatformRoleID != models.AdminRole {
    359. 

  359. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("only admins can be promoted to superadmin role"), "forbidden"))
    360. 

  360. 		return
    361. 

  361. 	}
    362. 

  362. 	if !servercfg.IsBasicAuthEnabled() {
    363. 

  363. 		logic.ReturnErrorResponse(
    364. 

  364. 			w,
    365. 

  365. 			r,
    366. 

  366. 			logic.FormatError(fmt.Errorf("basic auth is disabled"), "badrequest"),
    367. 

  367. 		)
    368. 

  368. 		return
    369. 

  369. 	}
    370. 

  370. 

  371. 	u.PlatformRoleID = models.SuperAdminRole
    372. 

  372. 	err = logic.UpsertUser(*u)
    373. 

  373. 	if err != nil {
    374. 

  374. 		slog.Error("error updating user to superadmin: ", "user", u.UserName, "error", err.Error())
    375. 

  375. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    376. 

  376. 		return
    377. 

  377. 	}
    378. 

  378. 	caller.PlatformRoleID = models.AdminRole
    379. 

  379. 	err = logic.UpsertUser(*caller)
    380. 

  380. 	if err != nil {
    381. 

  381. 		slog.Error("error demoting user to admin: ", "user", caller.UserName, "error", err.Error())
    382. 

  382. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    383. 

  383. 		return
    384. 

  384. 	}
    385. 

  385. 	slog.Info("user was made a super admin", "user", u.UserName)
    386. 

  386. 	json.NewEncoder(w).Encode(logic.ToReturnUser(*u))
    387. 

  387. }
    388. 

  388. 

  389. // @Summary     Create a user
    390. 

  390. // @Router      /api/users/{username} [post]
    391. 

  391. // @Tags        Users
    392. 

  392. // @Param       username path string true "Username of the user to create"
    393. 

  393. // @Param       body body models.User true "User details"
    394. 

  394. // @Success     200 {object} models.User
    395. 

  395. // @Failure     400 {object} models.ErrorResponse
    396. 

  396. // @Failure     403 {object} models.ErrorResponse
    397. 

  397. // @Failure     500 {object} models.ErrorResponse
    398. 

  398. func createUser(w http.ResponseWriter, r *http.Request) {
    399. 

  399. 	w.Header().Set("Content-Type", "application/json")
    400. 

  400. 	caller, err := logic.GetUser(r.Header.Get("user"))
    401. 

  401. 	if err != nil {
    402. 

  402. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    403. 

  403. 		return
    404. 

  404. 	}
    405. 

  405. 	var user models.User
    406. 

  406. 	err = json.NewDecoder(r.Body).Decode(&user)
    407. 

  407. 	if err != nil {
    408. 

  408. 		logger.Log(0, user.UserName, "error decoding request body: ",
    409. 

  409. 			err.Error())
    410. 

  410. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    411. 

  411. 		return
    412. 

  412. 	}
    413. 

  413. 

  414. 	if user.PlatformRoleID == "" {
    415. 

  415. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("platform role is missing"), "badrequest"))
    416. 

  416. 		return
    417. 

  417. 	}
    418. 

  418. 	userRole, err := logic.GetRole(user.PlatformRoleID)
    419. 

  419. 	if err != nil {
    420. 

  420. 		err = errors.New("error fetching role " + user.PlatformRoleID.String() + " " + err.Error())
    421. 

  421. 		slog.Error("error creating new user: ", "user", user.UserName, "error", err)
    422. 

  422. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    423. 

  423. 		return
    424. 

  424. 	}
    425. 

  425. 	if userRole.ID == models.SuperAdminRole {
    426. 

  426. 		err = errors.New("additional superadmins cannot be created")
    427. 

  427. 		slog.Error("error creating new user: ", "user", user.UserName, "error", err)
    428. 

  428. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    429. 

  429. 		return
    430. 

  430. 	}
    431. 

  431. 

  432. 	if caller.PlatformRoleID != models.SuperAdminRole && user.PlatformRoleID == models.AdminRole {
    433. 

  433. 		err = errors.New("only superadmin can create admin users")
    434. 

  434. 		slog.Error("error creating new user: ", "user", user.UserName, "error", err)
    435. 

  435. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    436. 

  436. 		return
    437. 

  437. 	}
    438. 

  438. 

  439. 	if !servercfg.IsPro && user.PlatformRoleID != models.AdminRole {
    440. 

  440. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("non-admins users can only be created on Pro version"), "forbidden"))
    441. 

  441. 		return
    442. 

  442. 	}
    443. 

  443. 

  444. 	err = logic.CreateUser(&user)
    445. 

  445. 	if err != nil {
    446. 

  446. 		slog.Error("error creating new user: ", "user", user.UserName, "error", err.Error())
    447. 

  447. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    448. 

  448. 		return
    449. 

  449. 	}
    450. 

  450. 	logic.DeleteUserInvite(user.UserName)
    451. 

  451. 	logic.DeletePendingUser(user.UserName)
    452. 

  452. 	slog.Info("user was created", "username", user.UserName)
    453. 

  453. 	json.NewEncoder(w).Encode(logic.ToReturnUser(user))
    454. 

  454. }
    455. 

  455. 

  456. // @Summary     Update a user
    457. 

  457. // @Router      /api/users/{username} [put]
    458. 

  458. // @Tags        Users
    459. 

  459. // @Param       username path string true "Username of the user to update"
    460. 

  460. // @Param       body body models.User true "User details"
    461. 

  461. // @Success     200 {object} models.User
    462. 

  462. // @Failure     400 {object} models.ErrorResponse
    463. 

  463. // @Failure     403 {object} models.ErrorResponse
    464. 

  464. // @Failure     500 {object} models.ErrorResponse
    465. 

  465. func updateUser(w http.ResponseWriter, r *http.Request) {
    466. 

  466. 	w.Header().Set("Content-Type", "application/json")
    467. 

  467. 	var params = mux.Vars(r)
    468. 

  468. 	// start here
    469. 

  469. 	var caller *models.User
    470. 

  470. 	var err error
    471. 

  471. 	var ismaster bool
    472. 

  472. 	if r.Header.Get("user") == logic.MasterUser {
    473. 

  473. 		ismaster = true
    474. 

  474. 	} else {
    475. 

  475. 		caller, err = logic.GetUser(r.Header.Get("user"))
    476. 

  476. 		if err != nil {
    477. 

  477. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    478. 

  478. 		}
    479. 

  479. 	}
    480. 

  480. 

  481. 	username := params["username"]
    482. 

  482. 	user, err := logic.GetUser(username)
    483. 

  483. 	if err != nil {
    484. 

  484. 		logger.Log(0, username,
    485. 

  485. 			"failed to update user info: ", err.Error())
    486. 

  486. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    487. 

  487. 		return
    488. 

  488. 	}
    489. 

  489. 	var userchange models.User
    490. 

  490. 	// we decode our body request params
    491. 

  491. 	err = json.NewDecoder(r.Body).Decode(&userchange)
    492. 

  492. 	if err != nil {
    493. 

  493. 		slog.Error("failed to decode body", "error ", err.Error())
    494. 

  494. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    495. 

  495. 		return
    496. 

  496. 	}
    497. 

  497. 	if user.UserName != userchange.UserName {
    498. 

  498. 		logic.ReturnErrorResponse(
    499. 

  499. 			w,
    500. 

  500. 			r,
    501. 

  501. 			logic.FormatError(
    502. 

  502. 				errors.New("user in param and request body not matching"),
    503. 

  503. 				"badrequest",
    504. 

  504. 			),
    505. 

  505. 		)
    506. 

  506. 		return
    507. 

  507. 	}
    508. 

  508. 	selfUpdate := false
    509. 

  509. 	if !ismaster && caller.UserName == user.UserName {
    510. 

  510. 		selfUpdate = true
    511. 

  511. 	}
    512. 

  512. 

  513. 	if !ismaster && !selfUpdate {
    514. 

  514. 		if caller.PlatformRoleID == models.AdminRole && user.PlatformRoleID == models.SuperAdminRole {
    515. 

  515. 			slog.Error("non-superadmin user", "caller", caller.UserName, "attempted to update superadmin user", username)
    516. 

  516. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot update superadmin user"), "forbidden"))
    517. 

  517. 			return
    518. 

  518. 		}
    519. 

  519. 		if caller.PlatformRoleID != models.AdminRole && caller.PlatformRoleID != models.SuperAdminRole {
    520. 

  520. 			slog.Error("operation not allowed", "caller", caller.UserName, "attempted to update user", username)
    521. 

  521. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot update superadmin user"), "forbidden"))
    522. 

  522. 			return
    523. 

  523. 		}
    524. 

  524. 		if caller.PlatformRoleID == models.AdminRole && user.PlatformRoleID == models.AdminRole {
    525. 

  525. 			slog.Error("admin user cannot update another admin", "caller", caller.UserName, "attempted to update admin user", username)
    526. 

  526. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("admin user cannot update another admin"), "forbidden"))
    527. 

  527. 			return
    528. 

  528. 		}
    529. 

  529. 		if caller.PlatformRoleID == models.AdminRole && userchange.PlatformRoleID == models.AdminRole {
    530. 

  530. 			err = errors.New("admin user cannot update role of an another user to admin")
    531. 

  531. 			slog.Error(
    532. 

  532. 				"failed to update user",
    533. 

  533. 				"caller",
    534. 

  534. 				caller.UserName,
    535. 

  535. 				"attempted to update user",
    536. 

  536. 				username,
    537. 

  537. 				"error",
    538. 

  538. 				err,
    539. 

  539. 			)
    540. 

  540. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    541. 

  541. 			return
    542. 

  542. 		}
    543. 

  543. 

  544. 	}
    545. 

  545. 	if !ismaster && selfUpdate {
    546. 

  546. 		if user.PlatformRoleID != userchange.PlatformRoleID {
    547. 

  547. 			slog.Error("user cannot change his own role", "caller", caller.UserName, "attempted to update user role", username)
    548. 

  548. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("user not allowed to self assign role"), "forbidden"))
    549. 

  549. 			return
    550. 

  550. 

  551. 		}
    552. 

  552. 		if servercfg.IsPro {
    553. 

  553. 			// user cannot update his own roles and groups
    554. 

  554. 			if len(user.NetworkRoles) != len(userchange.NetworkRoles) || !reflect.DeepEqual(user.NetworkRoles, userchange.NetworkRoles) {
    555. 

  555. 				err = errors.New("user cannot update self update their network roles")
    556. 

  556. 				slog.Error("failed to update user", "caller", caller.UserName, "attempted to update user", username, "error", err)
    557. 

  557. 				logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    558. 

  558. 				return
    559. 

  559. 			}
    560. 

  560. 			// user cannot update his own roles and groups
    561. 

  561. 			if len(user.UserGroups) != len(userchange.UserGroups) || !reflect.DeepEqual(user.UserGroups, userchange.UserGroups) {
    562. 

  562. 				err = errors.New("user cannot update self update their groups")
    563. 

  563. 				slog.Error("failed to update user", "caller", caller.UserName, "attempted to update user", username, "error", err)
    564. 

  564. 				logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    565. 

  565. 				return
    566. 

  566. 			}
    567. 

  567. 		}
    568. 

  568. 

  569. 	}
    570. 

  570. 	if ismaster {
    571. 

  571. 		if user.PlatformRoleID != models.SuperAdminRole && userchange.PlatformRoleID == models.SuperAdminRole {
    572. 

  572. 			slog.Error("operation not allowed", "caller", logic.MasterUser, "attempted to update user role to superadmin", username)
    573. 

  573. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("attempted to update user role to superadmin"), "forbidden"))
    574. 

  574. 			return
    575. 

  575. 		}
    576. 

  576. 	}
    577. 

  577. 

  578. 	if logic.IsOauthUser(user) == nil && userchange.Password != "" {
    579. 

  579. 		err := fmt.Errorf("cannot update user's password for an oauth user %s", username)
    580. 

  580. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    581. 

  581. 		return
    582. 

  582. 	}
    583. 

  583. 

  584. 	user, err = logic.UpdateUser(&userchange, user)
    585. 

  585. 	if err != nil {
    586. 

  586. 		logger.Log(0, username,
    587. 

  587. 			"failed to update user info: ", err.Error())
    588. 

  588. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    589. 

  589. 		return
    590. 

  590. 	}
    591. 

  591. 	logger.Log(1, username, "was updated")
    592. 

  592. 	json.NewEncoder(w).Encode(logic.ToReturnUser(*user))
    593. 

  593. }
    594. 

  594. 

  595. // @Summary     Delete a user
    596. 

  596. // @Router      /api/users/{username} [delete]
    597. 

  597. // @Tags        Users
    598. 

  598. // @Param       username path string true "Username of the user to delete"
    599. 

  599. // @Success     200 {string} string
    600. 

  600. // @Failure     500 {object} models.ErrorResponse
    601. 

  601. func deleteUser(w http.ResponseWriter, r *http.Request) {
    602. 

  602. 	// Set header
    603. 

  603. 	w.Header().Set("Content-Type", "application/json")
    604. 

  604. 

  605. 	// get params
    606. 

  606. 	var params = mux.Vars(r)
    607. 

  607. 	caller, err := logic.GetUser(r.Header.Get("user"))
    608. 

  608. 	if err != nil {
    609. 

  609. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    610. 

  610. 	}
    611. 

  611. 	callerUserRole, err := logic.GetRole(caller.PlatformRoleID)
    612. 

  612. 	if err != nil {
    613. 

  613. 		slog.Error("failed to get role ", "role", callerUserRole.ID, "error", err)
    614. 

  614. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    615. 

  615. 		return
    616. 

  616. 	}
    617. 

  617. 	username := params["username"]
    618. 

  618. 	user, err := logic.GetUser(username)
    619. 

  619. 	if err != nil {
    620. 

  620. 		logger.Log(0, username,
    621. 

  621. 			"failed to update user info: ", err.Error())
    622. 

  622. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    623. 

  623. 		return
    624. 

  624. 	}
    625. 

  625. 	userRole, err := logic.GetRole(user.PlatformRoleID)
    626. 

  626. 	if err != nil {
    627. 

  627. 		slog.Error("failed to get role ", "role", userRole.ID, "error", err)
    628. 

  628. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    629. 

  629. 		return
    630. 

  630. 	}
    631. 

  631. 	if userRole.ID == models.SuperAdminRole {
    632. 

  632. 		slog.Error(
    633. 

  633. 			"failed to delete user: ", "user", username, "error", "superadmin cannot be deleted")
    634. 

  634. 		logic.ReturnErrorResponse(
    635. 

  635. 			w,
    636. 

  636. 			r,
    637. 

  637. 			logic.FormatError(fmt.Errorf("superadmin cannot be deleted"), "internal"),
    638. 

  638. 		)
    639. 

  639. 		return
    640. 

  640. 	}
    641. 

  641. 	if callerUserRole.ID != models.SuperAdminRole {
    642. 

  642. 		if callerUserRole.ID == models.AdminRole && userRole.ID == models.AdminRole {
    643. 

  643. 			slog.Error(
    644. 

  644. 				"failed to delete user: ",
    645. 

  645. 				"user",
    646. 

  646. 				username,
    647. 

  647. 				"error",
    648. 

  648. 				"admin cannot delete another admin user, including oneself",
    649. 

  649. 			)
    650. 

  650. 			logic.ReturnErrorResponse(
    651. 

  651. 				w,
    652. 

  652. 				r,
    653. 

  653. 				logic.FormatError(
    654. 

  654. 					fmt.Errorf("admin cannot delete another admin user, including oneself"),
    655. 

  655. 					"internal",
    656. 

  656. 				),
    657. 

  657. 			)
    658. 

  658. 			return
    659. 

  659. 		}
    660. 

  660. 	}
    661. 

  661. 	success, err := logic.DeleteUser(username)
    662. 

  662. 	if err != nil {
    663. 

  663. 		logger.Log(0, username,
    664. 

  664. 			"failed to delete user: ", err.Error())
    665. 

  665. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    666. 

  666. 		return
    667. 

  667. 	} else if !success {
    668. 

  668. 		err := errors.New("delete unsuccessful")
    669. 

  669. 		logger.Log(0, username, err.Error())
    670. 

  670. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    671. 

  671. 		return
    672. 

  672. 	}
    673. 

  673. 	// check and delete extclient with this ownerID
    674. 

  674. 	go func() {
    675. 

  675. 		extclients, err := logic.GetAllExtClients()
    676. 

  676. 		if err != nil {
    677. 

  677. 			slog.Error("failed to get extclients", "error", err)
    678. 

  678. 			return
    679. 

  679. 		}
    680. 

  680. 		for _, extclient := range extclients {
    681. 

  681. 			if extclient.OwnerID == user.UserName {
    682. 

  682. 				err = logic.DeleteExtClientAndCleanup(extclient)
    683. 

  683. 				if err != nil {
    684. 

  684. 					slog.Error("failed to delete extclient",
    685. 

  685. 						"id", extclient.ClientID, "owner", username, "error", err)
    686. 

  686. 				} else {
    687. 

  687. 					if err := mq.PublishDeletedClientPeerUpdate(&extclient); err != nil {
    688. 

  688. 						slog.Error("error setting ext peers: " + err.Error())
    689. 

  689. 					}
    690. 

  690. 				}
    691. 

  691. 			}
    692. 

  692. 		}
    693. 

  693. 		if servercfg.IsDNSMode() {
    694. 

  694. 			logic.SetDNS()
    695. 

  695. 		}
    696. 

  696. 	}()
    697. 

  697. 	logger.Log(1, username, "was deleted")
    698. 

  698. 	json.NewEncoder(w).Encode(params["username"] + " deleted.")
    699. 

  699. }
    700. 

  700. 

  701. // Called when vpn client dials in to start the auth flow and first stage is to get register URL itself
    702. 

  702. func socketHandler(w http.ResponseWriter, r *http.Request) {
    703. 

  703. 	// Upgrade our raw HTTP connection to a websocket based one
    704. 

  704. 	conn, err := upgrader.Upgrade(w, r, nil)
    705. 

  705. 	if err != nil {
    706. 

  706. 		logger.Log(0, "error during connection upgrade for node sign-in:", err.Error())
    707. 

  707. 		return
    708. 

  708. 	}
    709. 

  709. 	if conn == nil {
    710. 

  710. 		logger.Log(0, "failed to establish web-socket connection during node sign-in")
    711. 

  711. 		return
    712. 

  712. 	}
    713. 

  713. 	// Start handling the session
    714. 

  714. 	go auth.SessionHandler(conn)
    715. 

  715. }
    716. 

  716. 

  717. // @Summary     lists all user roles.
    718. 

  718. // @Router      /api/v1/user/roles [get]
    719. 

  719. // @Tags        Users
    720. 

  720. // @Param       role_id param string true "roleid required to get the role details"
    721. 

  721. // @Success     200 {object}  []models.UserRolePermissionTemplate
    722. 

  722. // @Failure     500 {object} models.ErrorResponse
    723. 

  723. func listRoles(w http.ResponseWriter, r *http.Request) {
    724. 

  724. 	var roles []models.UserRolePermissionTemplate
    725. 

  725. 	var err error
    726. 

  726. 	roles, err = logic.ListPlatformRoles()
    727. 

  727. 	if err != nil {
    728. 

  728. 		logic.ReturnErrorResponse(w, r, models.ErrorResponse{
    729. 

  729. 			Code:    http.StatusInternalServerError,
    730. 

  730. 			Message: err.Error(),
    731. 

  731. 		})
    732. 

  732. 		return
    733. 

  733. 	}
    734. 

  734. 

  735. 	logic.ReturnSuccessResponseWithJson(w, r, roles, "successfully fetched user roles permission templates")
    736. 

  736. }
    737.