ホーム エクスプローラ ヘルプ
サインイン
golang
/
netmaker
同期ミラー https://github.com/gravitl/netmaker
2
0
フォーク 0
ファイル 課題 0 Wiki
ツリー: ad33c4bfff
ブランチ タグ
netmaker
/
pro
/
controllers
/
users.go

users.go 64 KB
履歴 Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051 
  1. package controllers
    2. 

  2. 

  3. import (
    4. 

  4. 	"context"
    5. 

  5. 	"encoding/json"
    6. 

  6. 	"errors"
    7. 

  7. 	"fmt"
    8. 

  8. 	"net/http"
    9. 

  9. 	"net/url"
    10. 

  10. 	"strings"
    11. 

  11. 	"time"
    12. 

  12. 

  13. 	"github.com/google/uuid"
    14. 

  14. 	"github.com/gorilla/mux"
    15. 

  15. 	"github.com/gravitl/netmaker/database"
    16. 

  16. 	"github.com/gravitl/netmaker/logger"
    17. 

  17. 	"github.com/gravitl/netmaker/logic"
    18. 

  18. 	"github.com/gravitl/netmaker/models"
    19. 

  19. 	"github.com/gravitl/netmaker/mq"
    20. 

  20. 	proAuth "github.com/gravitl/netmaker/pro/auth"
    21. 

  21. 	"github.com/gravitl/netmaker/pro/email"
    22. 

  22. 	"github.com/gravitl/netmaker/pro/idp"
    23. 

  23. 	"github.com/gravitl/netmaker/pro/idp/azure"
    24. 

  24. 	"github.com/gravitl/netmaker/pro/idp/google"
    25. 

  25. 	"github.com/gravitl/netmaker/pro/idp/okta"
    26. 

  26. 	proLogic "github.com/gravitl/netmaker/pro/logic"
    27. 

  27. 	"github.com/gravitl/netmaker/servercfg"
    28. 

  28. 	"github.com/gravitl/netmaker/utils"
    29. 

  29. 	"golang.org/x/exp/slog"
    30. 

  30. )
    31. 

  31. 

  32. func UserHandlers(r *mux.Router) {
    33. 

  33. 

  34. 	r.HandleFunc("/api/oauth/login", proAuth.HandleAuthLogin).Methods(http.MethodGet)
    35. 

  35. 	r.HandleFunc("/api/oauth/callback", proAuth.HandleAuthCallback).Methods(http.MethodGet)
    36. 

  36. 	r.HandleFunc("/api/oauth/headless", proAuth.HandleHeadlessSSO)
    37. 

  37. 	r.HandleFunc("/api/oauth/register/{regKey}", proAuth.RegisterHostSSO).Methods(http.MethodGet)
    38. 

  38. 

  39. 	// User Role Handlers
    40. 

  40. 	r.HandleFunc("/api/v1/users/role", logic.SecurityCheck(true, http.HandlerFunc(getRole))).Methods(http.MethodGet)
    41. 

  41. 	r.HandleFunc("/api/v1/users/role", logic.SecurityCheck(true, http.HandlerFunc(createRole))).Methods(http.MethodPost)
    42. 

  42. 	r.HandleFunc("/api/v1/users/role", logic.SecurityCheck(true, http.HandlerFunc(updateRole))).Methods(http.MethodPut)
    43. 

  43. 	r.HandleFunc("/api/v1/users/role", logic.SecurityCheck(true, http.HandlerFunc(deleteRole))).Methods(http.MethodDelete)
    44. 

  44. 

  45. 	// User Group Handlers
    46. 

  46. 	r.HandleFunc("/api/v1/users/groups", logic.SecurityCheck(true, http.HandlerFunc(listUserGroups))).Methods(http.MethodGet)
    47. 

  47. 	r.HandleFunc("/api/v1/users/group", logic.SecurityCheck(true, http.HandlerFunc(getUserGroup))).Methods(http.MethodGet)
    48. 

  48. 	r.HandleFunc("/api/v1/users/group", logic.SecurityCheck(true, http.HandlerFunc(createUserGroup))).Methods(http.MethodPost)
    49. 

  49. 	r.HandleFunc("/api/v1/users/group", logic.SecurityCheck(true, http.HandlerFunc(updateUserGroup))).Methods(http.MethodPut)
    50. 

  50. 	r.HandleFunc("/api/v1/users/group", logic.SecurityCheck(true, http.HandlerFunc(deleteUserGroup))).Methods(http.MethodDelete)
    51. 

  51. 	r.HandleFunc("/api/v1/users/add_network_user", logic.SecurityCheck(true, http.HandlerFunc(addUsertoNetwork))).Methods(http.MethodPut)
    52. 

  52. 	r.HandleFunc("/api/v1/users/remove_network_user", logic.SecurityCheck(true, http.HandlerFunc(removeUserfromNetwork))).Methods(http.MethodPut)
    53. 

  53. 	r.HandleFunc("/api/v1/users/unassigned_network_users", logic.SecurityCheck(true, http.HandlerFunc(listUnAssignedNetUsers))).Methods(http.MethodGet)
    54. 

  54. 

  55. 	// User Invite Handlers
    56. 

  56. 	r.HandleFunc("/api/v1/users/invite", userInviteVerify).Methods(http.MethodGet)
    57. 

  57. 	r.HandleFunc("/api/v1/users/invite-signup", userInviteSignUp).Methods(http.MethodPost)
    58. 

  58. 	r.HandleFunc("/api/v1/users/invite", logic.SecurityCheck(true, http.HandlerFunc(inviteUsers))).Methods(http.MethodPost)
    59. 

  59. 	r.HandleFunc("/api/v1/users/invites", logic.SecurityCheck(true, http.HandlerFunc(listUserInvites))).Methods(http.MethodGet)
    60. 

  60. 	r.HandleFunc("/api/v1/users/invite", logic.SecurityCheck(true, http.HandlerFunc(deleteUserInvite))).Methods(http.MethodDelete)
    61. 

  61. 	r.HandleFunc("/api/v1/users/invites", logic.SecurityCheck(true, http.HandlerFunc(deleteAllUserInvites))).Methods(http.MethodDelete)
    62. 

  62. 

  63. 	r.HandleFunc("/api/users_pending", logic.SecurityCheck(true, http.HandlerFunc(getPendingUsers))).Methods(http.MethodGet)
    64. 

  64. 	r.HandleFunc("/api/users_pending", logic.SecurityCheck(true, http.HandlerFunc(deleteAllPendingUsers))).Methods(http.MethodDelete)
    65. 

  65. 	r.HandleFunc("/api/users_pending/user/{username}", logic.SecurityCheck(true, http.HandlerFunc(deletePendingUser))).Methods(http.MethodDelete)
    66. 

  66. 	r.HandleFunc("/api/users_pending/user/{username}", logic.SecurityCheck(true, http.HandlerFunc(approvePendingUser))).Methods(http.MethodPost)
    67. 

  67. 

  68. 	r.HandleFunc("/api/users/{username}/remote_access_gw/{remote_access_gateway_id}", logic.SecurityCheck(true, http.HandlerFunc(attachUserToRemoteAccessGw))).Methods(http.MethodPost)
    69. 

  69. 	r.HandleFunc("/api/users/{username}/remote_access_gw/{remote_access_gateway_id}", logic.SecurityCheck(true, http.HandlerFunc(removeUserFromRemoteAccessGW))).Methods(http.MethodDelete)
    70. 

  70. 	r.HandleFunc("/api/users/{username}/remote_access_gw", logic.SecurityCheck(false, logic.ContinueIfUserMatch(http.HandlerFunc(getUserRemoteAccessGwsV1)))).Methods(http.MethodGet)
    71. 

  71. 	r.HandleFunc("/api/users/ingress/{ingress_id}", logic.SecurityCheck(true, http.HandlerFunc(ingressGatewayUsers))).Methods(http.MethodGet)
    72. 

  72. 

  73. 	r.HandleFunc("/api/idp/sync", logic.SecurityCheck(true, http.HandlerFunc(syncIDP))).Methods(http.MethodPost)
    74. 

  74. 	r.HandleFunc("/api/idp/sync/test", logic.SecurityCheck(true, http.HandlerFunc(testIDPSync))).Methods(http.MethodPost)
    75. 

  75. 	r.HandleFunc("/api/idp/sync/status", logic.SecurityCheck(true, http.HandlerFunc(getIDPSyncStatus))).Methods(http.MethodGet)
    76. 

  76. 	r.HandleFunc("/api/idp", logic.SecurityCheck(true, http.HandlerFunc(removeIDPIntegration))).Methods(http.MethodDelete)
    77. 

  77. }
    78. 

  78. 

  79. // swagger:route POST /api/v1/users/invite-signup user userInviteSignUp
    80. 

  80. //
    81. 

  81. // user signup via invite.
    82. 

  82. //
    83. 

  83. //	Schemes: https
    84. 

  84. //
    85. 

  85. //	Responses:
    86. 

  86. //		200: ReturnSuccessResponse
    87. 

  87. func userInviteSignUp(w http.ResponseWriter, r *http.Request) {
    88. 

  88. 	email := r.URL.Query().Get("email")
    89. 

  89. 	code := r.URL.Query().Get("invite_code")
    90. 

  90. 	in, err := logic.GetUserInvite(email)
    91. 

  91. 	if err != nil {
    92. 

  92. 		logger.Log(0, "failed to fetch users: ", err.Error())
    93. 

  93. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    94. 

  94. 		return
    95. 

  95. 	}
    96. 

  96. 	if code != in.InviteCode {
    97. 

  97. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("invalid invite code"), "badrequest"))
    98. 

  98. 		return
    99. 

  99. 	}
    100. 

  100. 	// check if user already exists
    101. 

  101. 	_, err = logic.GetUser(email)
    102. 

  102. 	if err == nil {
    103. 

  103. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("user already exists"), "badrequest"))
    104. 

  104. 		return
    105. 

  105. 	}
    106. 

  106. 	var user models.User
    107. 

  107. 	err = json.NewDecoder(r.Body).Decode(&user)
    108. 

  108. 	if err != nil {
    109. 

  109. 		logger.Log(0, user.UserName, "error decoding request body: ",
    110. 

  110. 			err.Error())
    111. 

  111. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    112. 

  112. 		return
    113. 

  113. 	}
    114. 

  114. 	if user.UserName != email {
    115. 

  115. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("username not matching with invite"), "badrequest"))
    116. 

  116. 		return
    117. 

  117. 	}
    118. 

  118. 	if user.Password == "" {
    119. 

  119. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("password cannot be empty"), "badrequest"))
    120. 

  120. 		return
    121. 

  121. 	}
    122. 

  122. 

  123. 	user.UserGroups = in.UserGroups
    124. 

  124. 	user.PlatformRoleID = models.UserRoleID(in.PlatformRoleID)
    125. 

  125. 	if user.PlatformRoleID == "" {
    126. 

  126. 		user.PlatformRoleID = models.ServiceUser
    127. 

  127. 	}
    128. 

  128. 	user.NetworkRoles = in.NetworkRoles
    129. 

  129. 	err = logic.CreateUser(&user)
    130. 

  130. 	if err != nil {
    131. 

  131. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    132. 

  132. 		return
    133. 

  133. 	}
    134. 

  134. 	// delete invite
    135. 

  135. 	logic.DeleteUserInvite(email)
    136. 

  136. 	logic.DeletePendingUser(email)
    137. 

  137. 	w.Header().Set("Access-Control-Allow-Origin", "*")
    138. 

  138. 	logic.ReturnSuccessResponse(w, r, "created user successfully "+email)
    139. 

  139. }
    140. 

  140. 

  141. // swagger:route GET /api/v1/users/invite user userInviteVerify
    142. 

  142. //
    143. 

  143. // verfies user invite.
    144. 

  144. //
    145. 

  145. //	Schemes: https
    146. 

  146. //
    147. 

  147. //	Responses:
    148. 

  148. //		200: ReturnSuccessResponse
    149. 

  149. func userInviteVerify(w http.ResponseWriter, r *http.Request) {
    150. 

  150. 	email := r.URL.Query().Get("email")
    151. 

  151. 	code := r.URL.Query().Get("invite_code")
    152. 

  152. 	err := logic.ValidateAndApproveUserInvite(email, code)
    153. 

  153. 	if err != nil {
    154. 

  154. 		logger.Log(0, "failed to fetch users: ", err.Error())
    155. 

  155. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    156. 

  156. 		return
    157. 

  157. 	}
    158. 

  158. 	logic.ReturnSuccessResponse(w, r, "invite is valid")
    159. 

  159. }
    160. 

  160. 

  161. // swagger:route POST /api/v1/users/invite user inviteUsers
    162. 

  162. //
    163. 

  163. // invite users.
    164. 

  164. //
    165. 

  165. //			Schemes: https
    166. 

  166. //
    167. 

  167. //			Security:
    168. 

  168. //	  		oauth
    169. 

  169. //
    170. 

  170. //			Responses:
    171. 

  171. //				200: userBodyResponse
    172. 

  172. func inviteUsers(w http.ResponseWriter, r *http.Request) {
    173. 

  173. 	var inviteReq models.InviteUsersReq
    174. 

  174. 	err := json.NewDecoder(r.Body).Decode(&inviteReq)
    175. 

  175. 	if err != nil {
    176. 

  176. 		slog.Error("error decoding request body", "error",
    177. 

  177. 			err.Error())
    178. 

  178. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    179. 

  179. 		return
    180. 

  180. 	}
    181. 

  181. 	callerUserName := r.Header.Get("user")
    182. 

  182. 	if r.Header.Get("ismaster") != "yes" {
    183. 

  183. 		caller, err := logic.GetUser(callerUserName)
    184. 

  184. 		if err != nil {
    185. 

  185. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "notfound"))
    186. 

  186. 			return
    187. 

  187. 		}
    188. 

  188. 		if inviteReq.PlatformRoleID == models.SuperAdminRole.String() {
    189. 

  189. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("super admin cannot be invited"), "badrequest"))
    190. 

  190. 			return
    191. 

  191. 		}
    192. 

  192. 		if inviteReq.PlatformRoleID == "" {
    193. 

  193. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("platform role id cannot be empty"), "badrequest"))
    194. 

  194. 			return
    195. 

  195. 		}
    196. 

  196. 		if (inviteReq.PlatformRoleID == models.AdminRole.String() ||
    197. 

  197. 			inviteReq.PlatformRoleID == models.SuperAdminRole.String()) && caller.PlatformRoleID != models.SuperAdminRole {
    198. 

  198. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("only superadmin can invite admin users"), "forbidden"))
    199. 

  199. 			return
    200. 

  200. 		}
    201. 

  201. 	}
    202. 

  202. 

  203. 	//validate Req
    204. 

  204. 	err = proLogic.IsGroupsValid(inviteReq.UserGroups)
    205. 

  205. 	if err != nil {
    206. 

  206. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    207. 

  207. 		return
    208. 

  208. 	}
    209. 

  209. 	err = proLogic.IsNetworkRolesValid(inviteReq.NetworkRoles)
    210. 

  210. 	if err != nil {
    211. 

  211. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    212. 

  212. 		return
    213. 

  213. 	}
    214. 

  214. 

  215. 	// check platform role
    216. 

  216. 	_, err = logic.GetRole(models.UserRoleID(inviteReq.PlatformRoleID))
    217. 

  217. 	if err != nil {
    218. 

  218. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    219. 

  219. 		return
    220. 

  220. 	}
    221. 

  221. 	for _, inviteeEmail := range inviteReq.UserEmails {
    222. 

  222. 		inviteeEmail = strings.ToLower(inviteeEmail)
    223. 

  223. 		// check if user with email exists, then ignore
    224. 

  224. 		if !email.IsValid(inviteeEmail) {
    225. 

  225. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("invalid email "+inviteeEmail), "badrequest"))
    226. 

  226. 			return
    227. 

  227. 		}
    228. 

  228. 		_, err := logic.GetUser(inviteeEmail)
    229. 

  229. 		if err == nil {
    230. 

  230. 			// user exists already, so ignore
    231. 

  231. 			continue
    232. 

  232. 		}
    233. 

  233. 		invite := models.UserInvite{
    234. 

  234. 			Email:          inviteeEmail,
    235. 

  235. 			PlatformRoleID: inviteReq.PlatformRoleID,
    236. 

  236. 			UserGroups:     inviteReq.UserGroups,
    237. 

  237. 			NetworkRoles:   inviteReq.NetworkRoles,
    238. 

  238. 			InviteCode:     logic.RandomString(8),
    239. 

  239. 		}
    240. 

  240. 		frontendURL := strings.TrimSuffix(servercfg.GetFrontendURL(), "/")
    241. 

  241. 		if frontendURL == "" {
    242. 

  242. 			frontendURL = fmt.Sprintf("https://dashboard.%s", servercfg.GetNmBaseDomain())
    243. 

  243. 		}
    244. 

  244. 		u, err := url.Parse(fmt.Sprintf("%s/invite?email=%s&invite_code=%s",
    245. 

  245. 			frontendURL, url.QueryEscape(invite.Email), url.QueryEscape(invite.InviteCode)))
    246. 

  246. 		if err != nil {
    247. 

  247. 			slog.Error("failed to parse to invite url", "error", err)
    248. 

  248. 			return
    249. 

  249. 		}
    250. 

  250. 		if servercfg.DeployedByOperator() {
    251. 

  251. 			u, err = url.Parse(fmt.Sprintf("%s/invite?tenant_id=%s&email=%s&invite_code=%s",
    252. 

  252. 				proLogic.GetAccountsUIHost(), url.QueryEscape(servercfg.GetNetmakerTenantID()), url.QueryEscape(invite.Email), url.QueryEscape(invite.InviteCode)))
    253. 

  253. 			if err != nil {
    254. 

  254. 				slog.Error("failed to parse to invite url", "error", err)
    255. 

  255. 				return
    256. 

  256. 			}
    257. 

  257. 		}
    258. 

  258. 		invite.InviteURL = u.String()
    259. 

  259. 		err = logic.InsertUserInvite(invite)
    260. 

  260. 		if err != nil {
    261. 

  261. 			slog.Error("failed to insert invite for user", "email", invite.Email, "error", err)
    262. 

  262. 		}
    263. 

  263. 		logic.LogEvent(&models.Event{
    264. 

  264. 			Action: models.Create,
    265. 

  265. 			Source: models.Subject{
    266. 

  266. 				ID:   callerUserName,
    267. 

  267. 				Name: callerUserName,
    268. 

  268. 				Type: models.UserSub,
    269. 

  269. 				Info: invite,
    270. 

  270. 			},
    271. 

  271. 			TriggeredBy: callerUserName,
    272. 

  272. 			Target: models.Subject{
    273. 

  273. 				ID:   inviteeEmail,
    274. 

  274. 				Name: inviteeEmail,
    275. 

  275. 				Type: models.UserInviteSub,
    276. 

  276. 			},
    277. 

  277. 			Origin: models.Dashboard,
    278. 

  278. 		})
    279. 

  279. 		// notify user with magic link
    280. 

  280. 		go func(invite models.UserInvite) {
    281. 

  281. 			// Set E-Mail body. You can set plain text or html with text/html
    282. 

  282. 

  283. 			e := email.UserInvitedMail{
    284. 

  284. 				BodyBuilder:    &email.EmailBodyBuilderWithH1HeadlineAndImage{},
    285. 

  285. 				InviteURL:      invite.InviteURL,
    286. 

  286. 				PlatformRoleID: invite.PlatformRoleID,
    287. 

  287. 			}
    288. 

  288. 			n := email.Notification{
    289. 

  289. 				RecipientMail: invite.Email,
    290. 

  290. 			}
    291. 

  291. 			err = email.GetClient().SendEmail(context.Background(), n, e)
    292. 

  292. 			if err != nil {
    293. 

  293. 				slog.Error("failed to send email invite", "user", invite.Email, "error", err)
    294. 

  294. 			}
    295. 

  295. 		}(invite)
    296. 

  296. 	}
    297. 

  297. 

  298. 	logic.ReturnSuccessResponse(w, r, "triggered user invites")
    299. 

  299. }
    300. 

  300. 

  301. // swagger:route GET /api/v1/users/invites user listUserInvites
    302. 

  302. //
    303. 

  303. // lists all pending invited users.
    304. 

  304. //
    305. 

  305. //			Schemes: https
    306. 

  306. //
    307. 

  307. //			Security:
    308. 

  308. //	  		oauth
    309. 

  309. //
    310. 

  310. //			Responses:
    311. 

  311. //				200: ReturnSuccessResponseWithJson
    312. 

  312. func listUserInvites(w http.ResponseWriter, r *http.Request) {
    313. 

  313. 	usersInvites, err := logic.ListUserInvites()
    314. 

  314. 	if err != nil {
    315. 

  315. 		logger.Log(0, "failed to fetch users: ", err.Error())
    316. 

  316. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    317. 

  317. 		return
    318. 

  318. 	}
    319. 

  319. 	logic.ReturnSuccessResponseWithJson(w, r, usersInvites, "fetched pending user invites")
    320. 

  320. }
    321. 

  321. 

  322. // swagger:route DELETE /api/v1/users/invite user deleteUserInvite
    323. 

  323. //
    324. 

  324. // delete pending invite.
    325. 

  325. //
    326. 

  326. //			Schemes: https
    327. 

  327. //
    328. 

  328. //			Security:
    329. 

  329. //	  		oauth
    330. 

  330. //
    331. 

  331. //			Responses:
    332. 

  332. //				200: ReturnSuccessResponse
    333. 

  333. func deleteUserInvite(w http.ResponseWriter, r *http.Request) {
    334. 

  334. 	email := r.URL.Query().Get("invitee_email")
    335. 

  335. 	err := logic.DeleteUserInvite(email)
    336. 

  336. 	if err != nil {
    337. 

  337. 		logger.Log(0, "failed to delete user invite: ", email, err.Error())
    338. 

  338. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    339. 

  339. 		return
    340. 

  340. 	}
    341. 

  341. 	logic.LogEvent(&models.Event{
    342. 

  342. 		Action: models.Delete,
    343. 

  343. 		Source: models.Subject{
    344. 

  344. 			ID:   r.Header.Get("user"),
    345. 

  345. 			Name: r.Header.Get("user"),
    346. 

  346. 			Type: models.UserSub,
    347. 

  347. 		},
    348. 

  348. 		TriggeredBy: r.Header.Get("user"),
    349. 

  349. 		Target: models.Subject{
    350. 

  350. 			ID:   email,
    351. 

  351. 			Name: email,
    352. 

  352. 			Type: models.UserInviteSub,
    353. 

  353. 		},
    354. 

  354. 		Origin: models.Dashboard,
    355. 

  355. 	})
    356. 

  356. 	logic.ReturnSuccessResponse(w, r, "deleted user invite")
    357. 

  357. }
    358. 

  358. 

  359. // swagger:route DELETE /api/v1/users/invites user deleteAllUserInvites
    360. 

  360. //
    361. 

  361. // deletes all pending invites.
    362. 

  362. //
    363. 

  363. //			Schemes: https
    364. 

  364. //
    365. 

  365. //			Security:
    366. 

  366. //	  		oauth
    367. 

  367. //
    368. 

  368. //			Responses:
    369. 

  369. //				200: ReturnSuccessResponse
    370. 

  370. func deleteAllUserInvites(w http.ResponseWriter, r *http.Request) {
    371. 

  371. 	err := database.DeleteAllRecords(database.USER_INVITES_TABLE_NAME)
    372. 

  372. 	if err != nil {
    373. 

  373. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("failed to delete all pending user invites "+err.Error()), "internal"))
    374. 

  374. 		return
    375. 

  375. 	}
    376. 

  376. 	logic.LogEvent(&models.Event{
    377. 

  377. 		Action: models.DeleteAll,
    378. 

  378. 		Source: models.Subject{
    379. 

  379. 			ID:   r.Header.Get("user"),
    380. 

  380. 			Name: r.Header.Get("user"),
    381. 

  381. 			Type: models.UserSub,
    382. 

  382. 		},
    383. 

  383. 		TriggeredBy: r.Header.Get("user"),
    384. 

  384. 		Target: models.Subject{
    385. 

  385. 			ID:   "All Invites",
    386. 

  386. 			Name: "All Invites",
    387. 

  387. 			Type: models.UserInviteSub,
    388. 

  388. 		},
    389. 

  389. 		Origin: models.Dashboard,
    390. 

  390. 	})
    391. 

  391. 	logic.ReturnSuccessResponse(w, r, "cleared all pending user invites")
    392. 

  392. }
    393. 

  393. 

  394. // swagger:route GET /api/v1/user/groups user listUserGroups
    395. 

  395. //
    396. 

  396. // Get all user groups.
    397. 

  397. //
    398. 

  398. //			Schemes: https
    399. 

  399. //
    400. 

  400. //			Security:
    401. 

  401. //	  		oauth
    402. 

  402. //
    403. 

  403. //			Responses:
    404. 

  404. //				200: userBodyResponse
    405. 

  405. func listUserGroups(w http.ResponseWriter, r *http.Request) {
    406. 

  406. 	groups, err := proLogic.ListUserGroups()
    407. 

  407. 	if err != nil {
    408. 

  408. 		logic.ReturnErrorResponse(w, r, models.ErrorResponse{
    409. 

  409. 			Code:    http.StatusInternalServerError,
    410. 

  410. 			Message: err.Error(),
    411. 

  411. 		})
    412. 

  412. 		return
    413. 

  413. 	}
    414. 

  414. 	logic.ReturnSuccessResponseWithJson(w, r, groups, "successfully fetched user groups")
    415. 

  415. }
    416. 

  416. 

  417. // swagger:route GET /api/v1/user/group user getUserGroup
    418. 

  418. //
    419. 

  419. // Get user group.
    420. 

  420. //
    421. 

  421. //			Schemes: https
    422. 

  422. //
    423. 

  423. //			Security:
    424. 

  424. //	  		oauth
    425. 

  425. //
    426. 

  426. //			Responses:
    427. 

  427. //				200: userBodyResponse
    428. 

  428. func getUserGroup(w http.ResponseWriter, r *http.Request) {
    429. 

  429. 

  430. 	gid := r.URL.Query().Get("group_id")
    431. 

  431. 	if gid == "" {
    432. 

  432. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("group id is required"), "badrequest"))
    433. 

  433. 		return
    434. 

  434. 	}
    435. 

  435. 	group, err := proLogic.GetUserGroup(models.UserGroupID(gid))
    436. 

  436. 	if err != nil {
    437. 

  437. 		logic.ReturnErrorResponse(w, r, models.ErrorResponse{
    438. 

  438. 			Code:    http.StatusInternalServerError,
    439. 

  439. 			Message: err.Error(),
    440. 

  440. 		})
    441. 

  441. 		return
    442. 

  442. 	}
    443. 

  443. 	logic.ReturnSuccessResponseWithJson(w, r, group, "successfully fetched user group")
    444. 

  444. }
    445. 

  445. 

  446. // swagger:route POST /api/v1/user/group user createUserGroup
    447. 

  447. //
    448. 

  448. // Create user groups.
    449. 

  449. //
    450. 

  450. //			Schemes: https
    451. 

  451. //
    452. 

  452. //			Security:
    453. 

  453. //	  		oauth
    454. 

  454. //
    455. 

  455. //			Responses:
    456. 

  456. //				200: userBodyResponse
    457. 

  457. func createUserGroup(w http.ResponseWriter, r *http.Request) {
    458. 

  458. 	var userGroupReq models.CreateGroupReq
    459. 

  459. 	err := json.NewDecoder(r.Body).Decode(&userGroupReq)
    460. 

  460. 	if err != nil {
    461. 

  461. 		slog.Error("error decoding request body", "error",
    462. 

  462. 			err.Error())
    463. 

  463. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    464. 

  464. 		return
    465. 

  465. 	}
    466. 

  466. 	err = proLogic.ValidateCreateGroupReq(userGroupReq.Group)
    467. 

  467. 	if err != nil {
    468. 

  468. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    469. 

  469. 		return
    470. 

  470. 	}
    471. 

  471. 	err = proLogic.CreateUserGroup(&userGroupReq.Group)
    472. 

  472. 	if err != nil {
    473. 

  473. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    474. 

  474. 		return
    475. 

  475. 	}
    476. 

  476. 

  477. 	for _, userID := range userGroupReq.Members {
    478. 

  478. 		user, err := logic.GetUser(userID)
    479. 

  479. 		if err != nil {
    480. 

  480. 			continue
    481. 

  481. 		}
    482. 

  482. 		if len(user.UserGroups) == 0 {
    483. 

  483. 			user.UserGroups = make(map[models.UserGroupID]struct{})
    484. 

  484. 		}
    485. 

  485. 		user.UserGroups[userGroupReq.Group.ID] = struct{}{}
    486. 

  486. 		logic.UpsertUser(*user)
    487. 

  487. 	}
    488. 

  488. 	logic.LogEvent(&models.Event{
    489. 

  489. 		Action: models.Create,
    490. 

  490. 		Source: models.Subject{
    491. 

  491. 			ID:   r.Header.Get("user"),
    492. 

  492. 			Name: r.Header.Get("user"),
    493. 

  493. 			Type: models.UserSub,
    494. 

  494. 		},
    495. 

  495. 		TriggeredBy: r.Header.Get("user"),
    496. 

  496. 		Target: models.Subject{
    497. 

  497. 			ID:   userGroupReq.Group.ID.String(),
    498. 

  498. 			Name: userGroupReq.Group.Name,
    499. 

  499. 			Type: models.UserGroupSub,
    500. 

  500. 		},
    501. 

  501. 		Origin: models.Dashboard,
    502. 

  502. 	})
    503. 

  503. 	go mq.PublishPeerUpdate(false)
    504. 

  504. 	logic.ReturnSuccessResponseWithJson(w, r, userGroupReq.Group, "created user group")
    505. 

  505. }
    506. 

  506. 

  507. // swagger:route PUT /api/v1/user/group user updateUserGroup
    508. 

  508. //
    509. 

  509. // Update user group.
    510. 

  510. //
    511. 

  511. //			Schemes: https
    512. 

  512. //
    513. 

  513. //			Security:
    514. 

  514. //	  		oauth
    515. 

  515. //
    516. 

  516. //			Responses:
    517. 

  517. //				200: userBodyResponse
    518. 

  518. func updateUserGroup(w http.ResponseWriter, r *http.Request) {
    519. 

  519. 	var userGroup models.UserGroup
    520. 

  520. 	err := json.NewDecoder(r.Body).Decode(&userGroup)
    521. 

  521. 	if err != nil {
    522. 

  522. 		slog.Error("error decoding request body", "error",
    523. 

  523. 			err.Error())
    524. 

  524. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    525. 

  525. 		return
    526. 

  526. 	}
    527. 

  527. 	// fetch curr group
    528. 

  528. 	currUserG, err := proLogic.GetUserGroup(userGroup.ID)
    529. 

  529. 	if err != nil {
    530. 

  530. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    531. 

  531. 		return
    532. 

  532. 	}
    533. 

  533. 	if currUserG.Default {
    534. 

  534. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot update default user group"), "badrequest"))
    535. 

  535. 		return
    536. 

  536. 	}
    537. 

  537. 	err = proLogic.ValidateUpdateGroupReq(userGroup)
    538. 

  538. 	if err != nil {
    539. 

  539. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    540. 

  540. 		return
    541. 

  541. 	}
    542. 

  542. 

  543. 	userGroup.ExternalIdentityProviderID = currUserG.ExternalIdentityProviderID
    544. 

  544. 

  545. 	err = proLogic.UpdateUserGroup(userGroup)
    546. 

  546. 	if err != nil {
    547. 

  547. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    548. 

  548. 		return
    549. 

  549. 	}
    550. 

  550. 	logic.LogEvent(&models.Event{
    551. 

  551. 		Action: models.Update,
    552. 

  552. 		Source: models.Subject{
    553. 

  553. 			ID:   r.Header.Get("user"),
    554. 

  554. 			Name: r.Header.Get("user"),
    555. 

  555. 			Type: models.UserSub,
    556. 

  556. 		},
    557. 

  557. 		TriggeredBy: r.Header.Get("user"),
    558. 

  558. 		Target: models.Subject{
    559. 

  559. 			ID:   userGroup.ID.String(),
    560. 

  560. 			Name: userGroup.Name,
    561. 

  561. 			Type: models.UserGroupSub,
    562. 

  562. 		},
    563. 

  563. 		Diff: models.Diff{
    564. 

  564. 			Old: currUserG,
    565. 

  565. 			New: userGroup,
    566. 

  566. 		},
    567. 

  567. 		Origin: models.Dashboard,
    568. 

  568. 	})
    569. 

  569. 	replacePeers := false
    570. 

  570. 	go func() {
    571. 

  571. 		networksAdded := make([]models.NetworkID, 0)
    572. 

  572. 		networksRemoved := make([]models.NetworkID, 0)
    573. 

  573. 

  574. 		for networkID := range userGroup.NetworkRoles {
    575. 

  575. 			if _, ok := currUserG.NetworkRoles[networkID]; !ok {
    576. 

  576. 				networksAdded = append(networksAdded, networkID)
    577. 

  577. 			}
    578. 

  578. 		}
    579. 

  579. 

  580. 		for networkID := range currUserG.NetworkRoles {
    581. 

  581. 			if _, ok := userGroup.NetworkRoles[networkID]; !ok {
    582. 

  582. 				networksRemoved = append(networksRemoved, networkID)
    583. 

  583. 			}
    584. 

  584. 		}
    585. 

  585. 

  586. 		for _, networkID := range networksAdded {
    587. 

  587. 			// ensure the network exists.
    588. 

  588. 			network, err := logic.GetNetwork(networkID.String())
    589. 

  589. 			if err != nil {
    590. 

  590. 				continue
    591. 

  591. 			}
    592. 

  592. 

  593. 			// insert acl if the network is added to the group.
    594. 

  594. 			acl := models.Acl{
    595. 

  595. 				ID:          uuid.New().String(),
    596. 

  596. 				Name:        fmt.Sprintf("%s group", userGroup.Name),
    597. 

  597. 				MetaData:    "This Policy allows user group to communicate with all gateways",
    598. 

  598. 				Default:     false,
    599. 

  599. 				ServiceType: models.Any,
    600. 

  600. 				NetworkID:   models.NetworkID(network.NetID),
    601. 

  601. 				Proto:       models.ALL,
    602. 

  602. 				RuleType:    models.UserPolicy,
    603. 

  603. 				Src: []models.AclPolicyTag{
    604. 

  604. 					{
    605. 

  605. 						ID:    models.UserGroupAclID,
    606. 

  606. 						Value: userGroup.ID.String(),
    607. 

  607. 					},
    608. 

  608. 				},
    609. 

  609. 				Dst: []models.AclPolicyTag{
    610. 

  610. 					{
    611. 

  611. 						ID:    models.NodeTagID,
    612. 

  612. 						Value: fmt.Sprintf("%s.%s", models.NetworkID(network.NetID), models.GwTagName),
    613. 

  613. 					}},
    614. 

  614. 				AllowedDirection: models.TrafficDirectionUni,
    615. 

  615. 				Enabled:          true,
    616. 

  616. 				CreatedBy:        "auto",
    617. 

  617. 				CreatedAt:        time.Now().UTC(),
    618. 

  618. 			}
    619. 

  619. 			_ = logic.InsertAcl(acl)
    620. 

  620. 			replacePeers = true
    621. 

  621. 		}
    622. 

  622. 

  623. 		// since this group doesn't have a role for this network,
    624. 

  624. 		// there is no point in having this group as src in any
    625. 

  625. 		// of the network's acls.
    626. 

  626. 		for _, networkID := range networksRemoved {
    627. 

  627. 			acls, err := logic.ListAclsByNetwork(networkID)
    628. 

  628. 			if err != nil {
    629. 

  629. 				continue
    630. 

  630. 			}
    631. 

  631. 

  632. 			for _, acl := range acls {
    633. 

  633. 				var hasGroupSrc bool
    634. 

  634. 				newAclSrc := make([]models.AclPolicyTag, 0)
    635. 

  635. 				for _, src := range acl.Src {
    636. 

  636. 					if src.ID == models.UserGroupAclID && src.Value == userGroup.ID.String() {
    637. 

  637. 						hasGroupSrc = true
    638. 

  638. 					} else {
    639. 

  639. 						newAclSrc = append(newAclSrc, src)
    640. 

  640. 					}
    641. 

  641. 				}
    642. 

  642. 

  643. 				if hasGroupSrc {
    644. 

  644. 					if len(newAclSrc) == 0 {
    645. 

  645. 						// no other src exists, delete acl.
    646. 

  646. 						_ = logic.DeleteAcl(acl)
    647. 

  647. 					} else {
    648. 

  648. 						// other sources exist, update acl.
    649. 

  649. 						acl.Src = newAclSrc
    650. 

  650. 						_ = logic.UpsertAcl(acl)
    651. 

  651. 					}
    652. 

  652. 					replacePeers = true
    653. 

  653. 				}
    654. 

  654. 			}
    655. 

  655. 		}
    656. 

  656. 	}()
    657. 

  657. 

  658. 	// reset configs for service user
    659. 

  659. 	go proLogic.UpdatesUserGwAccessOnGrpUpdates(userGroup.ID, currUserG.NetworkRoles, userGroup.NetworkRoles)
    660. 

  660. 	go mq.PublishPeerUpdate(replacePeers)
    661. 

  661. 	logic.ReturnSuccessResponseWithJson(w, r, userGroup, "updated user group")
    662. 

  662. }
    663. 

  663. 

  664. // swagger:route GET /api/v1/users/unassigned_network_user user listUnAssignedNetUsers
    665. 

  665. //
    666. 

  666. // list unassigned network users.
    667. 

  667. //
    668. 

  668. //			Schemes: https
    669. 

  669. //
    670. 

  670. //			Security:
    671. 

  671. //	  		oauth
    672. 

  672. //
    673. 

  673. //			Responses:
    674. 

  674. //				200: userBodyResponse
    675. 

  675. func listUnAssignedNetUsers(w http.ResponseWriter, r *http.Request) {
    676. 

  676. 	netID := r.URL.Query().Get("network_id")
    677. 

  677. 	if netID == "" {
    678. 

  678. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("network is required"), logic.BadReq))
    679. 

  679. 		return
    680. 

  680. 	}
    681. 

  681. 	var unassignedUsers []models.ReturnUser
    682. 

  682. 	users, _ := logic.GetUsers()
    683. 

  683. 	for _, user := range users {
    684. 

  684. 		if user.PlatformRoleID != models.ServiceUser {
    685. 

  685. 			continue
    686. 

  686. 		}
    687. 

  687. 		skipUser := false
    688. 

  688. 		for userGID := range user.UserGroups {
    689. 

  689. 			userG, err := proLogic.GetUserGroup(userGID)
    690. 

  690. 			if err != nil {
    691. 

  691. 				continue
    692. 

  692. 			}
    693. 

  693. 			if _, ok := userG.NetworkRoles[models.NetworkID(netID)]; ok {
    694. 

  694. 				skipUser = true
    695. 

  695. 				break
    696. 

  696. 			}
    697. 

  697. 		}
    698. 

  698. 		if skipUser {
    699. 

  699. 			continue
    700. 

  700. 		}
    701. 

  701. 		unassignedUsers = append(unassignedUsers, user)
    702. 

  702. 	}
    703. 

  703. 	logic.ReturnSuccessResponseWithJson(w, r, unassignedUsers, "returned unassigned network service users")
    704. 

  704. }
    705. 

  705. 

  706. // swagger:route PUT /api/v1/users/add_network_user user addUsertoNetwork
    707. 

  707. //
    708. 

  708. // add user to network.
    709. 

  709. //
    710. 

  710. //			Schemes: https
    711. 

  711. //
    712. 

  712. //			Security:
    713. 

  713. //	  		oauth
    714. 

  714. //
    715. 

  715. //			Responses:
    716. 

  716. //				200: userBodyResponse
    717. 

  717. func addUsertoNetwork(w http.ResponseWriter, r *http.Request) {
    718. 

  718. 	username := r.URL.Query().Get("username")
    719. 

  719. 	if username == "" {
    720. 

  720. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("username is required"), logic.BadReq))
    721. 

  721. 		return
    722. 

  722. 	}
    723. 

  723. 	netID := r.URL.Query().Get("network_id")
    724. 

  724. 	if netID == "" {
    725. 

  725. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("network is required"), logic.BadReq))
    726. 

  726. 		return
    727. 

  727. 	}
    728. 

  728. 	user, err := logic.GetUser(username)
    729. 

  729. 	if err != nil {
    730. 

  730. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, logic.BadReq))
    731. 

  731. 		return
    732. 

  732. 	}
    733. 

  733. 	if user.PlatformRoleID != models.ServiceUser {
    734. 

  734. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("can only add service users"), logic.BadReq))
    735. 

  735. 		return
    736. 

  736. 	}
    737. 

  737. 	oldUser := *user
    738. 

  738. 	user.UserGroups[proLogic.GetDefaultNetworkUserGroupID(models.NetworkID(netID))] = struct{}{}
    739. 

  739. 	logic.UpsertUser(*user)
    740. 

  740. 	logic.LogEvent(&models.Event{
    741. 

  741. 		Action: models.Update,
    742. 

  742. 		Source: models.Subject{
    743. 

  743. 			ID:   r.Header.Get("user"),
    744. 

  744. 			Name: r.Header.Get("user"),
    745. 

  745. 			Type: models.UserSub,
    746. 

  746. 		},
    747. 

  747. 		TriggeredBy: r.Header.Get("user"),
    748. 

  748. 		Target: models.Subject{
    749. 

  749. 			ID:   user.UserName,
    750. 

  750. 			Name: user.UserName,
    751. 

  751. 			Type: models.UserSub,
    752. 

  752. 		},
    753. 

  753. 		Diff: models.Diff{
    754. 

  754. 			Old: oldUser,
    755. 

  755. 			New: user,
    756. 

  756. 		},
    757. 

  757. 		Origin: models.Dashboard,
    758. 

  758. 	})
    759. 

  759. 

  760. 	logic.ReturnSuccessResponseWithJson(w, r, user, "updated user group")
    761. 

  761. }
    762. 

  762. 

  763. // swagger:route PUT /api/v1/users/remove_network_user user removeUserfromNetwork
    764. 

  764. //
    765. 

  765. // add user to network.
    766. 

  766. //
    767. 

  767. //			Schemes: https
    768. 

  768. //
    769. 

  769. //			Security:
    770. 

  770. //	  		oauth
    771. 

  771. //
    772. 

  772. //			Responses:
    773. 

  773. //				200: userBodyResponse
    774. 

  774. func removeUserfromNetwork(w http.ResponseWriter, r *http.Request) {
    775. 

  775. 	username := r.URL.Query().Get("username")
    776. 

  776. 	if username == "" {
    777. 

  777. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("username is required"), logic.BadReq))
    778. 

  778. 		return
    779. 

  779. 	}
    780. 

  780. 	netID := r.URL.Query().Get("network_id")
    781. 

  781. 	if netID == "" {
    782. 

  782. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("network is required"), logic.BadReq))
    783. 

  783. 		return
    784. 

  784. 	}
    785. 

  785. 	user, err := logic.GetUser(username)
    786. 

  786. 	if err != nil {
    787. 

  787. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, logic.BadReq))
    788. 

  788. 		return
    789. 

  789. 	}
    790. 

  790. 	if user.PlatformRoleID != models.ServiceUser {
    791. 

  791. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("can only add service users"), logic.BadReq))
    792. 

  792. 		return
    793. 

  793. 	}
    794. 

  794. 	oldUser := *user
    795. 

  795. 	delete(user.UserGroups, proLogic.GetDefaultNetworkUserGroupID(models.NetworkID(netID)))
    796. 

  796. 	logic.UpsertUser(*user)
    797. 

  797. 	logic.LogEvent(&models.Event{
    798. 

  798. 		Action: models.Update,
    799. 

  799. 		Source: models.Subject{
    800. 

  800. 			ID:   r.Header.Get("user"),
    801. 

  801. 			Name: r.Header.Get("user"),
    802. 

  802. 			Type: models.UserSub,
    803. 

  803. 		},
    804. 

  804. 		TriggeredBy: r.Header.Get("user"),
    805. 

  805. 		Target: models.Subject{
    806. 

  806. 			ID:   user.UserName,
    807. 

  807. 			Name: user.UserName,
    808. 

  808. 			Type: models.UserSub,
    809. 

  809. 		},
    810. 

  810. 		Diff: models.Diff{
    811. 

  811. 			Old: oldUser,
    812. 

  812. 			New: user,
    813. 

  813. 		},
    814. 

  814. 		Origin: models.Dashboard,
    815. 

  815. 	})
    816. 

  816. 

  817. 	logic.ReturnSuccessResponseWithJson(w, r, user, "updated user group")
    818. 

  818. }
    819. 

  819. 

  820. // swagger:route DELETE /api/v1/user/group user deleteUserGroup
    821. 

  821. //
    822. 

  822. // delete user group.
    823. 

  823. //
    824. 

  824. //			Schemes: https
    825. 

  825. //
    826. 

  826. //			Security:
    827. 

  827. //	  		oauth
    828. 

  828. //
    829. 

  829. //			Responses:
    830. 

  830. //				200: userBodyResponse
    831. 

  831. //
    832. 

  832. // @Summary     Delete user group.
    833. 

  833. // @Router      /api/v1/user/group [delete]
    834. 

  834. // @Tags        Users
    835. 

  835. // @Param       group_id query string true "group id required to delete the role"
    836. 

  836. // @Success     200 {string} string
    837. 

  837. // @Failure     500 {object} models.ErrorResponse
    838. 

  838. func deleteUserGroup(w http.ResponseWriter, r *http.Request) {
    839. 

  839. 

  840. 	gid := r.URL.Query().Get("group_id")
    841. 

  841. 	if gid == "" {
    842. 

  842. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("group id is required"), "badrequest"))
    843. 

  843. 		return
    844. 

  844. 	}
    845. 

  845. 	userG, err := proLogic.GetUserGroup(models.UserGroupID(gid))
    846. 

  846. 	if err != nil {
    847. 

  847. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("failed to fetch group details"), "badrequest"))
    848. 

  848. 		return
    849. 

  849. 	}
    850. 

  850. 	if userG.Default {
    851. 

  851. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot delete default user group"), "badrequest"))
    852. 

  852. 		return
    853. 

  853. 	}
    854. 

  854. 	err = proLogic.DeleteUserGroup(models.UserGroupID(gid))
    855. 

  855. 	if err != nil {
    856. 

  856. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    857. 

  857. 		return
    858. 

  858. 	}
    859. 

  859. 	logic.LogEvent(&models.Event{
    860. 

  860. 		Action: models.Delete,
    861. 

  861. 		Source: models.Subject{
    862. 

  862. 			ID:   r.Header.Get("user"),
    863. 

  863. 			Name: r.Header.Get("user"),
    864. 

  864. 			Type: models.UserSub,
    865. 

  865. 		},
    866. 

  866. 		TriggeredBy: r.Header.Get("user"),
    867. 

  867. 		Target: models.Subject{
    868. 

  868. 			ID:   userG.ID.String(),
    869. 

  869. 			Name: userG.Name,
    870. 

  870. 			Type: models.UserGroupSub,
    871. 

  871. 		},
    872. 

  872. 		Origin: models.Dashboard,
    873. 

  873. 	})
    874. 

  874. 	replacePeers := false
    875. 

  875. 	go func() {
    876. 

  876. 		for networkID := range userG.NetworkRoles {
    877. 

  877. 			acls, err := logic.ListAclsByNetwork(networkID)
    878. 

  878. 			if err != nil {
    879. 

  879. 				continue
    880. 

  880. 			}
    881. 

  881. 

  882. 			for _, acl := range acls {
    883. 

  883. 				var hasGroupSrc bool
    884. 

  884. 				newAclSrc := make([]models.AclPolicyTag, 0)
    885. 

  885. 				for _, src := range acl.Src {
    886. 

  886. 					if src.ID == models.UserGroupAclID && src.Value == userG.ID.String() {
    887. 

  887. 						hasGroupSrc = true
    888. 

  888. 					} else {
    889. 

  889. 						newAclSrc = append(newAclSrc, src)
    890. 

  890. 					}
    891. 

  891. 				}
    892. 

  892. 

  893. 				if hasGroupSrc {
    894. 

  894. 					if len(newAclSrc) == 0 {
    895. 

  895. 						// no other src exists, delete acl.
    896. 

  896. 						_ = logic.DeleteAcl(acl)
    897. 

  897. 					} else {
    898. 

  898. 						// other sources exist, update acl.
    899. 

  899. 						acl.Src = newAclSrc
    900. 

  900. 						_ = logic.UpsertAcl(acl)
    901. 

  901. 					}
    902. 

  902. 					replacePeers = true
    903. 

  903. 				}
    904. 

  904. 			}
    905. 

  905. 		}
    906. 

  906. 	}()
    907. 

  907. 

  908. 	go proLogic.UpdatesUserGwAccessOnGrpUpdates(userG.ID, userG.NetworkRoles, make(map[models.NetworkID]map[models.UserRoleID]struct{}))
    909. 

  909. 	go mq.PublishPeerUpdate(replacePeers)
    910. 

  910. 	logic.ReturnSuccessResponseWithJson(w, r, nil, "deleted user group")
    911. 

  911. }
    912. 

  912. 

  913. // @Summary     lists all user roles.
    914. 

  914. // @Router      /api/v1/user/roles [get]
    915. 

  915. // @Tags        Users
    916. 

  916. // @Param       role_id query string true "roleid required to get the role details"
    917. 

  917. // @Success     200 {object}  []models.UserRolePermissionTemplate
    918. 

  918. // @Failure     500 {object} models.ErrorResponse
    919. 

  919. func ListRoles(w http.ResponseWriter, r *http.Request) {
    920. 

  920. 	platform := r.URL.Query().Get("platform")
    921. 

  921. 	var roles []models.UserRolePermissionTemplate
    922. 

  922. 	var err error
    923. 

  923. 	if platform == "true" {
    924. 

  924. 		roles, err = logic.ListPlatformRoles()
    925. 

  925. 	} else {
    926. 

  926. 		roles, err = proLogic.ListNetworkRoles()
    927. 

  927. 	}
    928. 

  928. 	if err != nil {
    929. 

  929. 		logic.ReturnErrorResponse(w, r, models.ErrorResponse{
    930. 

  930. 			Code:    http.StatusInternalServerError,
    931. 

  931. 			Message: err.Error(),
    932. 

  932. 		})
    933. 

  933. 		return
    934. 

  934. 	}
    935. 

  935. 

  936. 	logic.ReturnSuccessResponseWithJson(w, r, roles, "successfully fetched user roles permission templates")
    937. 

  937. }
    938. 

  938. 

  939. // @Summary     Get user role permission template.
    940. 

  940. // @Router      /api/v1/user/role [get]
    941. 

  941. // @Tags        Users
    942. 

  942. // @Param       role_id query string true "roleid required to get the role details"
    943. 

  943. // @Success     200 {object} models.UserRolePermissionTemplate
    944. 

  944. // @Failure     500 {object} models.ErrorResponse
    945. 

  945. func getRole(w http.ResponseWriter, r *http.Request) {
    946. 

  946. 	rid := r.URL.Query().Get("role_id")
    947. 

  947. 	if rid == "" {
    948. 

  948. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("role is required"), "badrequest"))
    949. 

  949. 		return
    950. 

  950. 	}
    951. 

  951. 	role, err := logic.GetRole(models.UserRoleID(rid))
    952. 

  952. 	if err != nil {
    953. 

  953. 		logic.ReturnErrorResponse(w, r, models.ErrorResponse{
    954. 

  954. 			Code:    http.StatusInternalServerError,
    955. 

  955. 			Message: err.Error(),
    956. 

  956. 		})
    957. 

  957. 		return
    958. 

  958. 	}
    959. 

  959. 	logic.ReturnSuccessResponseWithJson(w, r, role, "successfully fetched user role permission templates")
    960. 

  960. }
    961. 

  961. 

  962. // @Summary     Create user role permission template.
    963. 

  963. // @Router      /api/v1/user/role [post]
    964. 

  964. // @Tags        Users
    965. 

  965. // @Param       body body models.UserRolePermissionTemplate true "user role template"
    966. 

  966. // @Success     200 {object}  models.UserRolePermissionTemplate
    967. 

  967. // @Failure     500 {object} models.ErrorResponse
    968. 

  968. func createRole(w http.ResponseWriter, r *http.Request) {
    969. 

  969. 	var userRole models.UserRolePermissionTemplate
    970. 

  970. 	err := json.NewDecoder(r.Body).Decode(&userRole)
    971. 

  971. 	if err != nil {
    972. 

  972. 		slog.Error("error decoding request body", "error",
    973. 

  973. 			err.Error())
    974. 

  974. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    975. 

  975. 		return
    976. 

  976. 	}
    977. 

  977. 	err = proLogic.ValidateCreateRoleReq(&userRole)
    978. 

  978. 	if err != nil {
    979. 

  979. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    980. 

  980. 		return
    981. 

  981. 	}
    982. 

  982. 	userRole.Default = false
    983. 

  983. 	userRole.GlobalLevelAccess = make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope)
    984. 

  984. 	err = proLogic.CreateRole(userRole)
    985. 

  985. 	if err != nil {
    986. 

  986. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    987. 

  987. 		return
    988. 

  988. 	}
    989. 

  989. 	logic.LogEvent(&models.Event{
    990. 

  990. 		Action: models.Create,
    991. 

  991. 		Source: models.Subject{
    992. 

  992. 			ID:   r.Header.Get("user"),
    993. 

  993. 			Name: r.Header.Get("user"),
    994. 

  994. 			Type: models.UserSub,
    995. 

  995. 		},
    996. 

  996. 		TriggeredBy: r.Header.Get("user"),
    997. 

  997. 		Target: models.Subject{
    998. 

  998. 			ID:   userRole.ID.String(),
    999. 

  999. 			Name: userRole.Name,
    1000. 

  1000. 			Type: models.UserRoleSub,
    1001. 

  1001. 		},
    1002. 

  1002. 		Origin: models.ClientApp,
    1003. 

  1003. 	})
    1004. 

  1004. 	logic.ReturnSuccessResponseWithJson(w, r, userRole, "created user role")
    1005. 

  1005. }
    1006. 

  1006. 

  1007. // @Summary     Update user role permission template.
    1008. 

  1008. // @Router      /api/v1/user/role [put]
    1009. 

  1009. // @Tags        Users
    1010. 

  1010. // @Param       body body models.UserRolePermissionTemplate true "user role template"
    1011. 

  1011. // @Success     200 {object} models.UserRolePermissionTemplate
    1012. 

  1012. // @Failure     500 {object} models.ErrorResponse
    1013. 

  1013. func updateRole(w http.ResponseWriter, r *http.Request) {
    1014. 

  1014. 	var userRole models.UserRolePermissionTemplate
    1015. 

  1015. 	err := json.NewDecoder(r.Body).Decode(&userRole)
    1016. 

  1016. 	if err != nil {
    1017. 

  1017. 		slog.Error("error decoding request body", "error",
    1018. 

  1018. 			err.Error())
    1019. 

  1019. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1020. 

  1020. 		return
    1021. 

  1021. 	}
    1022. 

  1022. 	currRole, err := logic.GetRole(userRole.ID)
    1023. 

  1023. 	if err != nil {
    1024. 

  1024. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1025. 

  1025. 		return
    1026. 

  1026. 	}
    1027. 

  1027. 	err = proLogic.ValidateUpdateRoleReq(&userRole)
    1028. 

  1028. 	if err != nil {
    1029. 

  1029. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1030. 

  1030. 		return
    1031. 

  1031. 	}
    1032. 

  1032. 	userRole.GlobalLevelAccess = make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope)
    1033. 

  1033. 	err = proLogic.UpdateRole(userRole)
    1034. 

  1034. 	if err != nil {
    1035. 

  1035. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1036. 

  1036. 		return
    1037. 

  1037. 	}
    1038. 

  1038. 	logic.LogEvent(&models.Event{
    1039. 

  1039. 		Action: models.Update,
    1040. 

  1040. 		Source: models.Subject{
    1041. 

  1041. 			ID:   r.Header.Get("user"),
    1042. 

  1042. 			Name: r.Header.Get("user"),
    1043. 

  1043. 			Type: models.UserSub,
    1044. 

  1044. 		},
    1045. 

  1045. 		TriggeredBy: r.Header.Get("user"),
    1046. 

  1046. 		Target: models.Subject{
    1047. 

  1047. 			ID:   userRole.ID.String(),
    1048. 

  1048. 			Name: userRole.Name,
    1049. 

  1049. 			Type: models.UserRoleSub,
    1050. 

  1050. 		},
    1051. 

  1051. 		Diff: models.Diff{
    1052. 

  1052. 			Old: currRole,
    1053. 

  1053. 			New: userRole,
    1054. 

  1054. 		},
    1055. 

  1055. 		Origin: models.Dashboard,
    1056. 

  1056. 	})
    1057. 

  1057. 	// reset configs for service user
    1058. 

  1058. 	go proLogic.UpdatesUserGwAccessOnRoleUpdates(currRole.NetworkLevelAccess, userRole.NetworkLevelAccess, string(userRole.NetworkID))
    1059. 

  1059. 	logic.ReturnSuccessResponseWithJson(w, r, userRole, "updated user role")
    1060. 

  1060. }
    1061. 

  1061. 

  1062. // @Summary     Delete user role permission template.
    1063. 

  1063. // @Router      /api/v1/user/role [delete]
    1064. 

  1064. // @Tags        Users
    1065. 

  1065. // @Param       role_id query string true "roleid required to delete the role"
    1066. 

  1066. // @Success     200 {string} string
    1067. 

  1067. // @Failure     500 {object} models.ErrorResponse
    1068. 

  1068. func deleteRole(w http.ResponseWriter, r *http.Request) {
    1069. 

  1069. 

  1070. 	rid := r.URL.Query().Get("role_id")
    1071. 

  1071. 	if rid == "" {
    1072. 

  1072. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("role is required"), "badrequest"))
    1073. 

  1073. 		return
    1074. 

  1074. 	}
    1075. 

  1075. 	role, err := logic.GetRole(models.UserRoleID(rid))
    1076. 

  1076. 	if err != nil {
    1077. 

  1077. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("role is required"), "badrequest"))
    1078. 

  1078. 		return
    1079. 

  1079. 	}
    1080. 

  1080. 	err = proLogic.DeleteRole(models.UserRoleID(rid), false)
    1081. 

  1081. 	if err != nil {
    1082. 

  1082. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1083. 

  1083. 		return
    1084. 

  1084. 	}
    1085. 

  1085. 	logic.LogEvent(&models.Event{
    1086. 

  1086. 		Action: models.Delete,
    1087. 

  1087. 		Source: models.Subject{
    1088. 

  1088. 			ID:   r.Header.Get("user"),
    1089. 

  1089. 			Name: r.Header.Get("user"),
    1090. 

  1090. 			Type: models.UserSub,
    1091. 

  1091. 		},
    1092. 

  1092. 		TriggeredBy: r.Header.Get("user"),
    1093. 

  1093. 		Target: models.Subject{
    1094. 

  1094. 			ID:   role.ID.String(),
    1095. 

  1095. 			Name: role.Name,
    1096. 

  1096. 			Type: models.UserRoleSub,
    1097. 

  1097. 		},
    1098. 

  1098. 		Origin: models.Dashboard,
    1099. 

  1099. 	})
    1100. 

  1100. 	go proLogic.UpdatesUserGwAccessOnRoleUpdates(role.NetworkLevelAccess, make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope), role.NetworkID.String())
    1101. 

  1101. 	logic.ReturnSuccessResponseWithJson(w, r, nil, "deleted user role")
    1102. 

  1102. }
    1103. 

  1103. 

  1104. // @Summary     Attach user to a remote access gateway
    1105. 

  1105. // @Router      /api/users/{username}/remote_access_gw/{remote_access_gateway_id} [post]
    1106. 

  1106. // @Tags        PRO
    1107. 

  1107. // @Accept      json
    1108. 

  1108. // @Produce     json
    1109. 

  1109. // @Param       username path string true "Username"
    1110. 

  1110. // @Param       remote_access_gateway_id path string true "Remote Access Gateway ID"
    1111. 

  1111. // @Success     200 {object} models.ReturnUser
    1112. 

  1112. // @Failure     400 {object} models.ErrorResponse
    1113. 

  1113. // @Failure     500 {object} models.ErrorResponse
    1114. 

  1114. func attachUserToRemoteAccessGw(w http.ResponseWriter, r *http.Request) {
    1115. 

  1115. 	// set header.
    1116. 

  1116. 	w.Header().Set("Content-Type", "application/json")
    1117. 

  1117. 

  1118. 	var params = mux.Vars(r)
    1119. 

  1119. 	username := params["username"]
    1120. 

  1120. 	remoteGwID := params["remote_access_gateway_id"]
    1121. 

  1121. 	if username == "" || remoteGwID == "" {
    1122. 

  1122. 		logic.ReturnErrorResponse(
    1123. 

  1123. 			w,
    1124. 

  1124. 			r,
    1125. 

  1125. 			logic.FormatError(
    1126. 

  1126. 				errors.New("required params `username` and `remote_access_gateway_id`"),
    1127. 

  1127. 				"badrequest",
    1128. 

  1128. 			),
    1129. 

  1129. 		)
    1130. 

  1130. 		return
    1131. 

  1131. 	}
    1132. 

  1132. 	user, err := logic.GetUser(username)
    1133. 

  1133. 	if err != nil {
    1134. 

  1134. 		slog.Error("failed to fetch user: ", "username", username, "error", err.Error())
    1135. 

  1135. 		logic.ReturnErrorResponse(
    1136. 

  1136. 			w,
    1137. 

  1137. 			r,
    1138. 

  1138. 			logic.FormatError(
    1139. 

  1139. 				fmt.Errorf("failed to fetch user %s, error: %v", username, err),
    1140. 

  1140. 				"badrequest",
    1141. 

  1141. 			),
    1142. 

  1142. 		)
    1143. 

  1143. 		return
    1144. 

  1144. 	}
    1145. 

  1145. 	if user.PlatformRoleID == models.AdminRole || user.PlatformRoleID == models.SuperAdminRole {
    1146. 

  1146. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("superadmins/admins have access to all gateways"), "badrequest"))
    1147. 

  1147. 		return
    1148. 

  1148. 	}
    1149. 

  1149. 	node, err := logic.GetNodeByID(remoteGwID)
    1150. 

  1150. 	if err != nil {
    1151. 

  1151. 		slog.Error("failed to fetch gateway node", "nodeID", remoteGwID, "error", err)
    1152. 

  1152. 		logic.ReturnErrorResponse(
    1153. 

  1153. 			w,
    1154. 

  1154. 			r,
    1155. 

  1155. 			logic.FormatError(
    1156. 

  1156. 				fmt.Errorf("failed to fetch remote access gateway node, error: %v", err),
    1157. 

  1157. 				"badrequest",
    1158. 

  1158. 			),
    1159. 

  1159. 		)
    1160. 

  1160. 		return
    1161. 

  1161. 	}
    1162. 

  1162. 	if !node.IsIngressGateway {
    1163. 

  1163. 		logic.ReturnErrorResponse(
    1164. 

  1164. 			w,
    1165. 

  1165. 			r,
    1166. 

  1166. 			logic.FormatError(fmt.Errorf("node is not a remote access gateway"), "badrequest"),
    1167. 

  1167. 		)
    1168. 

  1168. 		return
    1169. 

  1169. 	}
    1170. 

  1170. 	if user.RemoteGwIDs == nil {
    1171. 

  1171. 		user.RemoteGwIDs = make(map[string]struct{})
    1172. 

  1172. 	}
    1173. 

  1173. 	user.RemoteGwIDs[node.ID.String()] = struct{}{}
    1174. 

  1174. 	err = logic.UpsertUser(*user)
    1175. 

  1175. 	if err != nil {
    1176. 

  1176. 		slog.Error("failed to update user's gateways", "user", username, "error", err)
    1177. 

  1177. 		logic.ReturnErrorResponse(
    1178. 

  1178. 			w,
    1179. 

  1179. 			r,
    1180. 

  1180. 			logic.FormatError(
    1181. 

  1181. 				fmt.Errorf("failed to fetch remote access gateway node,error: %v", err),
    1182. 

  1182. 				"badrequest",
    1183. 

  1183. 			),
    1184. 

  1184. 		)
    1185. 

  1185. 		return
    1186. 

  1186. 	}
    1187. 

  1187. 

  1188. 	json.NewEncoder(w).Encode(logic.ToReturnUser(*user))
    1189. 

  1189. }
    1190. 

  1190. 

  1191. // @Summary     Remove user from a remote access gateway
    1192. 

  1192. // @Router      /api/users/{username}/remote_access_gw/{remote_access_gateway_id} [delete]
    1193. 

  1193. // @Tags        PRO
    1194. 

  1194. // @Accept      json
    1195. 

  1195. // @Produce     json
    1196. 

  1196. // @Param       username path string true "Username"
    1197. 

  1197. // @Param       remote_access_gateway_id path string true "Remote Access Gateway ID"
    1198. 

  1198. // @Success     200 {object} models.ReturnUser
    1199. 

  1199. // @Failure     400 {object} models.ErrorResponse
    1200. 

  1200. // @Failure     500 {object} models.ErrorResponse
    1201. 

  1201. func removeUserFromRemoteAccessGW(w http.ResponseWriter, r *http.Request) {
    1202. 

  1202. 	// set header.
    1203. 

  1203. 	w.Header().Set("Content-Type", "application/json")
    1204. 

  1204. 

  1205. 	var params = mux.Vars(r)
    1206. 

  1206. 	username := params["username"]
    1207. 

  1207. 	remoteGwID := params["remote_access_gateway_id"]
    1208. 

  1208. 	if username == "" || remoteGwID == "" {
    1209. 

  1209. 		logic.ReturnErrorResponse(
    1210. 

  1210. 			w,
    1211. 

  1211. 			r,
    1212. 

  1212. 			logic.FormatError(
    1213. 

  1213. 				errors.New("required params `username` and `remote_access_gateway_id`"),
    1214. 

  1214. 				"badrequest",
    1215. 

  1215. 			),
    1216. 

  1216. 		)
    1217. 

  1217. 		return
    1218. 

  1218. 	}
    1219. 

  1219. 	user, err := logic.GetUser(username)
    1220. 

  1220. 	if err != nil {
    1221. 

  1221. 		logger.Log(0, username, "failed to fetch user: ", err.Error())
    1222. 

  1222. 		logic.ReturnErrorResponse(
    1223. 

  1223. 			w,
    1224. 

  1224. 			r,
    1225. 

  1225. 			logic.FormatError(
    1226. 

  1226. 				fmt.Errorf("failed to fetch user %s, error: %v", username, err),
    1227. 

  1227. 				"badrequest",
    1228. 

  1228. 			),
    1229. 

  1229. 		)
    1230. 

  1230. 		return
    1231. 

  1231. 	}
    1232. 

  1232. 	delete(user.RemoteGwIDs, remoteGwID)
    1233. 

  1233. 	go func(user models.User, remoteGwID string) {
    1234. 

  1234. 		extclients, err := logic.GetAllExtClients()
    1235. 

  1235. 		if err != nil {
    1236. 

  1236. 			slog.Error("failed to fetch extclients", "error", err)
    1237. 

  1237. 			return
    1238. 

  1238. 		}
    1239. 

  1239. 		for _, extclient := range extclients {
    1240. 

  1240. 			if extclient.OwnerID == user.UserName && remoteGwID == extclient.IngressGatewayID {
    1241. 

  1241. 				err = logic.DeleteExtClientAndCleanup(extclient)
    1242. 

  1242. 				if err != nil {
    1243. 

  1243. 					slog.Error("failed to delete extclient",
    1244. 

  1244. 						"id", extclient.ClientID, "owner", user.UserName, "error", err)
    1245. 

  1245. 				} else {
    1246. 

  1246. 					if err := mq.PublishDeletedClientPeerUpdate(&extclient); err != nil {
    1247. 

  1247. 						slog.Error("error setting ext peers: " + err.Error())
    1248. 

  1248. 					}
    1249. 

  1249. 				}
    1250. 

  1250. 			}
    1251. 

  1251. 		}
    1252. 

  1252. 		if servercfg.IsDNSMode() {
    1253. 

  1253. 			logic.SetDNS()
    1254. 

  1254. 		}
    1255. 

  1255. 	}(*user, remoteGwID)
    1256. 

  1256. 

  1257. 	err = logic.UpsertUser(*user)
    1258. 

  1258. 	if err != nil {
    1259. 

  1259. 		slog.Error("failed to update user gateways", "user", username, "error", err)
    1260. 

  1260. 		logic.ReturnErrorResponse(
    1261. 

  1261. 			w,
    1262. 

  1262. 			r,
    1263. 

  1263. 			logic.FormatError(
    1264. 

  1264. 				errors.New("failed to fetch remote access gaetway node "+err.Error()),
    1265. 

  1265. 				"badrequest",
    1266. 

  1266. 			),
    1267. 

  1267. 		)
    1268. 

  1268. 		return
    1269. 

  1269. 	}
    1270. 

  1270. 	json.NewEncoder(w).Encode(logic.ToReturnUser(*user))
    1271. 

  1271. }
    1272. 

  1272. 

  1273. // @Summary     Get Users Remote Access Gw Networks.
    1274. 

  1274. // @Router      /api/users/{username}/remote_access_gw [get]
    1275. 

  1275. // @Tags        Users
    1276. 

  1276. // @Param       username path string true "Username to fetch all the gateways with access"
    1277. 

  1277. // @Success     200 {object} map[string][]models.UserRemoteGws
    1278. 

  1278. // @Failure     500 {object} models.ErrorResponse
    1279. 

  1279. func getUserRemoteAccessNetworks(w http.ResponseWriter, r *http.Request) {
    1280. 

  1280. 	// set header.
    1281. 

  1281. 	w.Header().Set("Content-Type", "application/json")
    1282. 

  1282. 	username := r.Header.Get("user")
    1283. 

  1283. 	user, err := logic.GetUser(username)
    1284. 

  1284. 	if err != nil {
    1285. 

  1285. 		logger.Log(0, username, "failed to fetch user: ", err.Error())
    1286. 

  1286. 		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch user %s, error: %v", username, err), "badrequest"))
    1287. 

  1287. 		return
    1288. 

  1288. 	}
    1289. 

  1289. 	userGws := make(map[string][]models.UserRemoteGws)
    1290. 

  1290. 	networks := []models.Network{}
    1291. 

  1291. 	networkMap := make(map[string]struct{})
    1292. 

  1292. 	userGwNodes := proLogic.GetUserRAGNodes(*user)
    1293. 

  1293. 	for _, node := range userGwNodes {
    1294. 

  1294. 		network, err := logic.GetNetwork(node.Network)
    1295. 

  1295. 		if err != nil {
    1296. 

  1296. 			slog.Error("failed to get node network", "error", err)
    1297. 

  1297. 			continue
    1298. 

  1298. 		}
    1299. 

  1299. 		if _, ok := networkMap[network.NetID]; ok {
    1300. 

  1300. 			continue
    1301. 

  1301. 		}
    1302. 

  1302. 		networkMap[network.NetID] = struct{}{}
    1303. 

  1303. 		networks = append(networks, network)
    1304. 

  1304. 	}
    1305. 

  1305. 

  1306. 	slog.Debug("returned user gws", "user", username, "gws", userGws)
    1307. 

  1307. 	logic.ReturnSuccessResponseWithJson(w, r, networks, "fetched user accessible networks")
    1308. 

  1308. }
    1309. 

  1309. 

  1310. // @Summary     Get Users Remote Access Gw Networks.
    1311. 

  1311. // @Router      /api/users/{username}/remote_access_gw [get]
    1312. 

  1312. // @Tags        Users
    1313. 

  1313. // @Param       username path string true "Username to fetch all the gateways with access"
    1314. 

  1314. // @Success     200 {object} map[string][]models.UserRemoteGws
    1315. 

  1315. // @Failure     500 {object} models.ErrorResponse
    1316. 

  1316. func getUserRemoteAccessNetworkGateways(w http.ResponseWriter, r *http.Request) {
    1317. 

  1317. 	// set header.
    1318. 

  1318. 	w.Header().Set("Content-Type", "application/json")
    1319. 

  1319. 	var params = mux.Vars(r)
    1320. 

  1320. 	username := r.Header.Get("user")
    1321. 

  1321. 	user, err := logic.GetUser(username)
    1322. 

  1322. 	if err != nil {
    1323. 

  1323. 		logger.Log(0, username, "failed to fetch user: ", err.Error())
    1324. 

  1324. 		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch user %s, error: %v", username, err), "badrequest"))
    1325. 

  1325. 		return
    1326. 

  1326. 	}
    1327. 

  1327. 	network := params["network"]
    1328. 

  1328. 	if network == "" {
    1329. 

  1329. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("required params network"), "badrequest"))
    1330. 

  1330. 		return
    1331. 

  1331. 	}
    1332. 

  1332. 	userGws := []models.UserRAGs{}
    1333. 

  1333. 

  1334. 	userGwNodes := proLogic.GetUserRAGNodes(*user)
    1335. 

  1335. 	for _, node := range userGwNodes {
    1336. 

  1336. 		if node.Network != network {
    1337. 

  1337. 			continue
    1338. 

  1338. 		}
    1339. 

  1339. 

  1340. 		host, err := logic.GetHost(node.HostID.String())
    1341. 

  1341. 		if err != nil {
    1342. 

  1342. 			continue
    1343. 

  1343. 		}
    1344. 

  1344. 

  1345. 		userGws = append(userGws, models.UserRAGs{
    1346. 

  1346. 			GwID:              node.ID.String(),
    1347. 

  1347. 			GWName:            host.Name,
    1348. 

  1348. 			Network:           node.Network,
    1349. 

  1349. 			IsInternetGateway: node.IsInternetGateway,
    1350. 

  1350. 			Metadata:          node.Metadata,
    1351. 

  1351. 		})
    1352. 

  1352. 

  1353. 	}
    1354. 

  1354. 

  1355. 	slog.Debug("returned user gws", "user", username, "gws", userGws)
    1356. 

  1356. 	logic.ReturnSuccessResponseWithJson(w, r, userGws, "fetched user accessible gateways in network "+network)
    1357. 

  1357. }
    1358. 

  1358. 

  1359. // @Summary     Get Users Remote Access Gw Networks.
    1360. 

  1360. // @Router      /api/users/{username}/remote_access_gw [get]
    1361. 

  1361. // @Tags        Users
    1362. 

  1362. // @Param       username path string true "Username to fetch all the gateways with access"
    1363. 

  1363. // @Success     200 {object} map[string][]models.UserRemoteGws
    1364. 

  1364. // @Failure     500 {object} models.ErrorResponse
    1365. 

  1365. func getRemoteAccessGatewayConf(w http.ResponseWriter, r *http.Request) {
    1366. 

  1366. 	// set header.
    1367. 

  1367. 	w.Header().Set("Content-Type", "application/json")
    1368. 

  1368. 	var params = mux.Vars(r)
    1369. 

  1369. 	username := r.Header.Get("user")
    1370. 

  1370. 	user, err := logic.GetUser(username)
    1371. 

  1371. 	if err != nil {
    1372. 

  1372. 		logger.Log(0, username, "failed to fetch user: ", err.Error())
    1373. 

  1373. 		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch user %s, error: %v", username, err), "badrequest"))
    1374. 

  1374. 		return
    1375. 

  1375. 	}
    1376. 

  1376. 	remoteGwID := params["access_point_id"]
    1377. 

  1377. 	if remoteGwID == "" {
    1378. 

  1378. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("required params access_point_id"), "badrequest"))
    1379. 

  1379. 		return
    1380. 

  1380. 	}
    1381. 

  1381. 	var req models.UserRemoteGwsReq
    1382. 

  1382. 	err = json.NewDecoder(r.Body).Decode(&req)
    1383. 

  1383. 	if err != nil {
    1384. 

  1384. 		slog.Error("error decoding request body: ", "error", err)
    1385. 

  1385. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1386. 

  1386. 		return
    1387. 

  1387. 	}
    1388. 

  1388. 

  1389. 	userGwNodes := proLogic.GetUserRAGNodes(*user)
    1390. 

  1390. 	if _, ok := userGwNodes[remoteGwID]; !ok {
    1391. 

  1391. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("access denied"), "forbidden"))
    1392. 

  1392. 		return
    1393. 

  1393. 	}
    1394. 

  1394. 	node, err := logic.GetNodeByID(remoteGwID)
    1395. 

  1395. 	if err != nil {
    1396. 

  1396. 		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch gw node %s, error: %v", remoteGwID, err), "badrequest"))
    1397. 

  1397. 		return
    1398. 

  1398. 	}
    1399. 

  1399. 	host, err := logic.GetHost(node.HostID.String())
    1400. 

  1400. 	if err != nil {
    1401. 

  1401. 		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch gw host %s, error: %v", remoteGwID, err), "badrequest"))
    1402. 

  1402. 		return
    1403. 

  1403. 	}
    1404. 

  1404. 	network, err := logic.GetNetwork(node.Network)
    1405. 

  1405. 	if err != nil {
    1406. 

  1406. 		slog.Error("failed to get node network", "error", err)
    1407. 

  1407. 	}
    1408. 

  1408. 	var userConf models.ExtClient
    1409. 

  1409. 	allextClients, err := logic.GetAllExtClients()
    1410. 

  1410. 	if err != nil {
    1411. 

  1411. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1412. 

  1412. 		return
    1413. 

  1413. 	}
    1414. 

  1414. 	for _, extClient := range allextClients {
    1415. 

  1415. 		if extClient.Network != network.NetID || extClient.IngressGatewayID != node.ID.String() {
    1416. 

  1416. 			continue
    1417. 

  1417. 		}
    1418. 

  1418. 		if extClient.RemoteAccessClientID == req.RemoteAccessClientID && extClient.OwnerID == username {
    1419. 

  1419. 			userConf = extClient
    1420. 

  1420. 			userConf.AllowedIPs = logic.GetExtclientAllowedIPs(extClient)
    1421. 

  1421. 		}
    1422. 

  1422. 	}
    1423. 

  1423. 	if userConf.ClientID == "" {
    1424. 

  1424. 		// create a new conf
    1425. 

  1425. 		userConf.OwnerID = user.UserName
    1426. 

  1426. 		userConf.RemoteAccessClientID = req.RemoteAccessClientID
    1427. 

  1427. 		userConf.IngressGatewayID = node.ID.String()
    1428. 

  1428. 		logic.SetDNSOnWgConfig(&node, &userConf)
    1429. 

  1429. 

  1430. 		userConf.Network = node.Network
    1431. 

  1431. 		host, err := logic.GetHost(node.HostID.String())
    1432. 

  1432. 		if err != nil {
    1433. 

  1433. 			logger.Log(0, r.Header.Get("user"),
    1434. 

  1434. 				fmt.Sprintf("failed to get ingress gateway host for node [%s] info: %v", node.ID, err))
    1435. 

  1435. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1436. 

  1436. 			return
    1437. 

  1437. 		}
    1438. 

  1438. 		listenPort := logic.GetPeerListenPort(host)
    1439. 

  1439. 		if host.EndpointIP.To4() == nil {
    1440. 

  1440. 			userConf.IngressGatewayEndpoint = fmt.Sprintf("[%s]:%d", host.EndpointIPv6.String(), listenPort)
    1441. 

  1441. 		} else {
    1442. 

  1442. 			userConf.IngressGatewayEndpoint = fmt.Sprintf("%s:%d", host.EndpointIP.String(), listenPort)
    1443. 

  1443. 		}
    1444. 

  1444. 		userConf.Enabled = true
    1445. 

  1445. 		parentNetwork, err := logic.GetNetwork(node.Network)
    1446. 

  1446. 		if err == nil { // check if parent network default ACL is enabled (yes) or not (no)
    1447. 

  1447. 			userConf.Enabled = parentNetwork.DefaultACL == "yes"
    1448. 

  1448. 		}
    1449. 

  1449. 		userConf.Tags = make(map[models.TagID]struct{})
    1450. 

  1450. 		// userConf.Tags[models.TagID(fmt.Sprintf("%s.%s", userConf.Network,
    1451. 

  1451. 		// 	models.RemoteAccessTagName))] = struct{}{}
    1452. 

  1452. 		if err = logic.CreateExtClient(&userConf); err != nil {
    1453. 

  1453. 			slog.Error(
    1454. 

  1454. 				"failed to create extclient",
    1455. 

  1455. 				"user",
    1456. 

  1456. 				r.Header.Get("user"),
    1457. 

  1457. 				"network",
    1458. 

  1458. 				node.Network,
    1459. 

  1459. 				"error",
    1460. 

  1460. 				err,
    1461. 

  1461. 			)
    1462. 

  1462. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1463. 

  1463. 			return
    1464. 

  1464. 		}
    1465. 

  1465. 	}
    1466. 

  1466. 	userGw := models.UserRemoteGws{
    1467. 

  1467. 		GwID:              node.ID.String(),
    1468. 

  1468. 		GWName:            host.Name,
    1469. 

  1469. 		Network:           node.Network,
    1470. 

  1470. 		GwClient:          userConf,
    1471. 

  1471. 		Connected:         true,
    1472. 

  1472. 		IsInternetGateway: node.IsInternetGateway,
    1473. 

  1473. 		GwPeerPublicKey:   host.PublicKey.String(),
    1474. 

  1474. 		GwListenPort:      logic.GetPeerListenPort(host),
    1475. 

  1475. 		Metadata:          node.Metadata,
    1476. 

  1476. 		AllowedEndpoints:  getAllowedRagEndpoints(&node, host),
    1477. 

  1477. 		NetworkAddresses:  []string{network.AddressRange, network.AddressRange6},
    1478. 

  1478. 		DnsAddress:        node.IngressDNS,
    1479. 

  1479. 		Addresses:         utils.NoEmptyStringToCsv(node.Address.String(), node.Address6.String()),
    1480. 

  1480. 	}
    1481. 

  1481. 

  1482. 	slog.Debug("returned user gw config", "user", user.UserName, "gws", userGw)
    1483. 

  1483. 	logic.ReturnSuccessResponseWithJson(w, r, userGw, "fetched user config to gw "+remoteGwID)
    1484. 

  1484. }
    1485. 

  1485. 

  1486. // @Summary     Get Users Remote Access Gw.
    1487. 

  1487. // @Router      /api/users/{username}/remote_access_gw [get]
    1488. 

  1488. // @Tags        Users
    1489. 

  1489. // @Param       username path string true "Username to fetch all the gateways with access"
    1490. 

  1490. // @Success     200 {object} map[string][]models.UserRemoteGws
    1491. 

  1491. // @Failure     500 {object} models.ErrorResponse
    1492. 

  1492. func getUserRemoteAccessGwsV1(w http.ResponseWriter, r *http.Request) {
    1493. 

  1493. 	// set header.
    1494. 

  1494. 	w.Header().Set("Content-Type", "application/json")
    1495. 

  1495. 	var params = mux.Vars(r)
    1496. 

  1496. 	username := params["username"]
    1497. 

  1497. 	if username == "" {
    1498. 

  1498. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("required params username"), "badrequest"))
    1499. 

  1499. 		return
    1500. 

  1500. 	}
    1501. 

  1501. 	user, err := logic.GetUser(username)
    1502. 

  1502. 	if err != nil {
    1503. 

  1503. 		logger.Log(0, username, "failed to fetch user: ", err.Error())
    1504. 

  1504. 		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch user %s, error: %v", username, err), "badrequest"))
    1505. 

  1505. 		return
    1506. 

  1506. 	}
    1507. 

  1507. 	deviceID := r.URL.Query().Get("device_id")
    1508. 

  1508. 	remoteAccessClientID := r.URL.Query().Get("remote_access_clientid")
    1509. 

  1509. 	var req models.UserRemoteGwsReq
    1510. 

  1510. 	if remoteAccessClientID == "" {
    1511. 

  1511. 		err := json.NewDecoder(r.Body).Decode(&req)
    1512. 

  1512. 		if err != nil {
    1513. 

  1513. 			slog.Error("error decoding request body: ", "error", err)
    1514. 

  1514. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1515. 

  1515. 			return
    1516. 

  1516. 		}
    1517. 

  1517. 	}
    1518. 

  1518. 	reqFromMobile := r.URL.Query().Get("from_mobile") == "true"
    1519. 

  1519. 	if req.RemoteAccessClientID == "" && remoteAccessClientID == "" {
    1520. 

  1520. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("remote access client id cannot be empty"), "badrequest"))
    1521. 

  1521. 		return
    1522. 

  1522. 	}
    1523. 

  1523. 	if req.RemoteAccessClientID == "" {
    1524. 

  1524. 		req.RemoteAccessClientID = remoteAccessClientID
    1525. 

  1525. 	}
    1526. 

  1526. 	userGws := make(map[string][]models.UserRemoteGws)
    1527. 

  1527. 	allextClients, err := logic.GetAllExtClients()
    1528. 

  1528. 	if err != nil {
    1529. 

  1529. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1530. 

  1530. 		return
    1531. 

  1531. 	}
    1532. 

  1532. 	userGwNodes := proLogic.GetUserRAGNodes(*user)
    1533. 

  1533. 

  1534. 	userExtClients := make(map[string][]models.ExtClient)
    1535. 

  1535. 

  1536. 	// group all extclients of the requesting user by ingress
    1537. 

  1537. 	// gateway.
    1538. 

  1538. 	for _, extClient := range allextClients {
    1539. 

  1539. 		// filter our extclients that don't belong to this user.
    1540. 

  1540. 		if extClient.OwnerID != username {
    1541. 

  1541. 			continue
    1542. 

  1542. 		}
    1543. 

  1543. 

  1544. 		if extClient.RemoteAccessClientID == "" {
    1545. 

  1545. 			continue
    1546. 

  1546. 		}
    1547. 

  1547. 

  1548. 		_, ok := userExtClients[extClient.IngressGatewayID]
    1549. 

  1549. 		if !ok {
    1550. 

  1550. 			userExtClients[extClient.IngressGatewayID] = []models.ExtClient{}
    1551. 

  1551. 		}
    1552. 

  1552. 

  1553. 		userExtClients[extClient.IngressGatewayID] = append(userExtClients[extClient.IngressGatewayID], extClient)
    1554. 

  1554. 	}
    1555. 

  1555. 

  1556. 	for ingressGatewayID, extClients := range userExtClients {
    1557. 

  1557. 		logic.SortExtClient(extClients)
    1558. 

  1558. 

  1559. 		node, ok := userGwNodes[ingressGatewayID]
    1560. 

  1560. 		if !ok {
    1561. 

  1561. 			continue
    1562. 

  1562. 		}
    1563. 

  1563. 

  1564. 		var gwClient models.ExtClient
    1565. 

  1565. 		var found bool
    1566. 

  1566. 		if deviceID != "" {
    1567. 

  1567. 			for _, extClient := range extClients {
    1568. 

  1568. 				if extClient.DeviceID == deviceID {
    1569. 

  1569. 					gwClient = extClient
    1570. 

  1570. 					found = true
    1571. 

  1571. 					break
    1572. 

  1572. 				}
    1573. 

  1573. 			}
    1574. 

  1574. 		}
    1575. 

  1575. 

  1576. 		if !found && req.RemoteAccessClientID != "" {
    1577. 

  1577. 			for _, extClient := range extClients {
    1578. 

  1578. 				if extClient.RemoteAccessClientID == req.RemoteAccessClientID {
    1579. 

  1579. 					gwClient = extClient
    1580. 

  1580. 					found = true
    1581. 

  1581. 					break
    1582. 

  1582. 				}
    1583. 

  1583. 			}
    1584. 

  1584. 		}
    1585. 

  1585. 

  1586. 		if !found && len(extClients) > 0 {
    1587. 

  1587. 			// TODO: prevent ip clashes.
    1588. 

  1588. 			gwClient = extClients[0]
    1589. 

  1589. 		}
    1590. 

  1590. 

  1591. 		host, err := logic.GetHost(node.HostID.String())
    1592. 

  1592. 		if err != nil {
    1593. 

  1593. 			continue
    1594. 

  1594. 		}
    1595. 

  1595. 		network, err := logic.GetNetwork(node.Network)
    1596. 

  1596. 		if err != nil {
    1597. 

  1597. 			slog.Error("failed to get node network", "error", err)
    1598. 

  1598. 			continue
    1599. 

  1599. 		}
    1600. 

  1600. 		nodesWithStatus := logic.AddStatusToNodes([]models.Node{node}, false)
    1601. 

  1601. 		if len(nodesWithStatus) > 0 {
    1602. 

  1602. 			node = nodesWithStatus[0]
    1603. 

  1603. 		}
    1604. 

  1604. 

  1605. 		gws := userGws[node.Network]
    1606. 

  1606. 		if gwClient.DNS == "" {
    1607. 

  1607. 			logic.SetDNSOnWgConfig(&node, &gwClient)
    1608. 

  1608. 		}
    1609. 

  1609. 

  1610. 		gwClient.IngressGatewayEndpoint = utils.GetExtClientEndpoint(
    1611. 

  1611. 			host.EndpointIP,
    1612. 

  1612. 			host.EndpointIPv6,
    1613. 

  1613. 			logic.GetPeerListenPort(host),
    1614. 

  1614. 		)
    1615. 

  1615. 		gwClient.AllowedIPs = logic.GetExtclientAllowedIPs(gwClient)
    1616. 

  1616. 		gw := models.UserRemoteGws{
    1617. 

  1617. 			GwID:              node.ID.String(),
    1618. 

  1618. 			GWName:            host.Name,
    1619. 

  1619. 			Network:           node.Network,
    1620. 

  1620. 			GwClient:          gwClient,
    1621. 

  1621. 			Connected:         true,
    1622. 

  1622. 			IsInternetGateway: node.IsInternetGateway,
    1623. 

  1623. 			GwPeerPublicKey:   host.PublicKey.String(),
    1624. 

  1624. 			GwListenPort:      logic.GetPeerListenPort(host),
    1625. 

  1625. 			Metadata:          node.Metadata,
    1626. 

  1626. 			AllowedEndpoints:  getAllowedRagEndpoints(&node, host),
    1627. 

  1627. 			NetworkAddresses:  []string{network.AddressRange, network.AddressRange6},
    1628. 

  1628. 			Status:            node.Status,
    1629. 

  1629. 			DnsAddress:        node.IngressDNS,
    1630. 

  1630. 			Addresses:         utils.NoEmptyStringToCsv(node.Address.String(), node.Address6.String()),
    1631. 

  1631. 		}
    1632. 

  1632. 		if !node.IsInternetGateway {
    1633. 

  1633. 			hNs := logic.GetNameserversForNode(&node)
    1634. 

  1634. 			for _, nsI := range hNs {
    1635. 

  1635. 				gw.MatchDomains = append(gw.MatchDomains, nsI.MatchDomain)
    1636. 

  1636. 			}
    1637. 

  1637. 		}
    1638. 

  1638. 		gw.MatchDomains = append(gw.MatchDomains, logic.GetEgressDomainsByAccess(user, models.NetworkID(node.Network))...)
    1639. 

  1639. 		gws = append(gws, gw)
    1640. 

  1640. 		userGws[node.Network] = gws
    1641. 

  1641. 		delete(userGwNodes, node.ID.String())
    1642. 

  1642. 	}
    1643. 

  1643. 

  1644. 	// add remaining gw nodes to resp
    1645. 

  1645. 	for gwID := range userGwNodes {
    1646. 

  1646. 		node, err := logic.GetNodeByID(gwID)
    1647. 

  1647. 		if err != nil {
    1648. 

  1648. 			continue
    1649. 

  1649. 		}
    1650. 

  1650. 		if !node.IsIngressGateway {
    1651. 

  1651. 			continue
    1652. 

  1652. 		}
    1653. 

  1653. 		if node.PendingDelete {
    1654. 

  1654. 			continue
    1655. 

  1655. 		}
    1656. 

  1656. 		host, err := logic.GetHost(node.HostID.String())
    1657. 

  1657. 		if err != nil {
    1658. 

  1658. 			continue
    1659. 

  1659. 		}
    1660. 

  1660. 		nodesWithStatus := logic.AddStatusToNodes([]models.Node{node}, false)
    1661. 

  1661. 		if len(nodesWithStatus) > 0 {
    1662. 

  1662. 			node = nodesWithStatus[0]
    1663. 

  1663. 		}
    1664. 

  1664. 		network, err := logic.GetNetwork(node.Network)
    1665. 

  1665. 		if err != nil {
    1666. 

  1666. 			slog.Error("failed to get node network", "error", err)
    1667. 

  1667. 		}
    1668. 

  1668. 		gws := userGws[node.Network]
    1669. 

  1669. 		gw := models.UserRemoteGws{
    1670. 

  1670. 			GwID:              node.ID.String(),
    1671. 

  1671. 			GWName:            host.Name,
    1672. 

  1672. 			Network:           node.Network,
    1673. 

  1673. 			IsInternetGateway: node.IsInternetGateway,
    1674. 

  1674. 			GwPeerPublicKey:   host.PublicKey.String(),
    1675. 

  1675. 			GwListenPort:      logic.GetPeerListenPort(host),
    1676. 

  1676. 			Metadata:          node.Metadata,
    1677. 

  1677. 			AllowedEndpoints:  getAllowedRagEndpoints(&node, host),
    1678. 

  1678. 			NetworkAddresses:  []string{network.AddressRange, network.AddressRange6},
    1679. 

  1679. 			Status:            node.Status,
    1680. 

  1680. 			DnsAddress:        node.IngressDNS,
    1681. 

  1681. 			Addresses:         utils.NoEmptyStringToCsv(node.Address.String(), node.Address6.String()),
    1682. 

  1682. 		}
    1683. 

  1683. 		if !node.IsInternetGateway {
    1684. 

  1684. 			hNs := logic.GetNameserversForNode(&node)
    1685. 

  1685. 			for _, nsI := range hNs {
    1686. 

  1686. 				gw.MatchDomains = append(gw.MatchDomains, nsI.MatchDomain)
    1687. 

  1687. 			}
    1688. 

  1688. 		}
    1689. 

  1689. 		gw.MatchDomains = append(gw.MatchDomains, logic.GetEgressDomainsByAccess(user, models.NetworkID(node.Network))...)
    1690. 

  1690. 		gws = append(gws, gw)
    1691. 

  1691. 		userGws[node.Network] = gws
    1692. 

  1692. 	}
    1693. 

  1693. 

  1694. 	if reqFromMobile {
    1695. 

  1695. 		// send resp in array format
    1696. 

  1696. 		userGwsArr := []models.UserRemoteGws{}
    1697. 

  1697. 		for _, userGwI := range userGws {
    1698. 

  1698. 			userGwsArr = append(userGwsArr, userGwI...)
    1699. 

  1699. 		}
    1700. 

  1700. 		logic.ReturnSuccessResponseWithJson(w, r, userGwsArr, "fetched gateways for user"+username)
    1701. 

  1701. 		return
    1702. 

  1702. 	}
    1703. 

  1703. 	slog.Debug("returned user gws", "user", username, "gws", userGws)
    1704. 

  1704. 	w.WriteHeader(http.StatusOK)
    1705. 

  1705. 	json.NewEncoder(w).Encode(userGws)
    1706. 

  1706. }
    1707. 

  1707. 

  1708. // @Summary     List users attached to an remote access gateway
    1709. 

  1709. // @Router      /api/nodes/{network}/{nodeid}/ingress/users [get]
    1710. 

  1710. // @Tags        PRO
    1711. 

  1711. // @Accept      json
    1712. 

  1712. // @Produce     json
    1713. 

  1713. // @Param       ingress_id path string true "Ingress Gateway ID"
    1714. 

  1714. // @Success     200 {array} models.IngressGwUsers
    1715. 

  1715. // @Failure     400 {object} models.ErrorResponse
    1716. 

  1716. // @Failure     500 {object} models.ErrorResponse
    1717. 

  1717. func ingressGatewayUsers(w http.ResponseWriter, r *http.Request) {
    1718. 

  1718. 	w.Header().Set("Content-Type", "application/json")
    1719. 

  1719. 	var params = mux.Vars(r)
    1720. 

  1720. 	ingressID := params["ingress_id"]
    1721. 

  1721. 	node, err := logic.GetNodeByID(ingressID)
    1722. 

  1722. 	if err != nil {
    1723. 

  1723. 		slog.Error("failed to get ingress node", "error", err)
    1724. 

  1724. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1725. 

  1725. 		return
    1726. 

  1726. 	}
    1727. 

  1727. 	gwUsers, err := logic.GetIngressGwUsers(node)
    1728. 

  1728. 	if err != nil {
    1729. 

  1729. 		slog.Error(
    1730. 

  1730. 			"failed to get users on ingress gateway",
    1731. 

  1731. 			"nodeid",
    1732. 

  1732. 			ingressID,
    1733. 

  1733. 			"network",
    1734. 

  1734. 			node.Network,
    1735. 

  1735. 			"user",
    1736. 

  1736. 			r.Header.Get("user"),
    1737. 

  1737. 			"error",
    1738. 

  1738. 			err,
    1739. 

  1739. 		)
    1740. 

  1740. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1741. 

  1741. 		return
    1742. 

  1742. 	}
    1743. 

  1743. 	w.WriteHeader(http.StatusOK)
    1744. 

  1744. 	json.NewEncoder(w).Encode(gwUsers)
    1745. 

  1745. }
    1746. 

  1746. 

  1747. func getAllowedRagEndpoints(ragNode *models.Node, ragHost *models.Host) []string {
    1748. 

  1748. 	endpoints := []string{}
    1749. 

  1749. 	if len(ragHost.EndpointIP) > 0 {
    1750. 

  1750. 		endpoints = append(endpoints, ragHost.EndpointIP.String())
    1751. 

  1751. 	}
    1752. 

  1752. 	if len(ragHost.EndpointIPv6) > 0 {
    1753. 

  1753. 		endpoints = append(endpoints, ragHost.EndpointIPv6.String())
    1754. 

  1754. 	}
    1755. 

  1755. 	if servercfg.IsPro {
    1756. 

  1756. 		for _, ip := range ragNode.AdditionalRagIps {
    1757. 

  1757. 			endpoints = append(endpoints, ip.String())
    1758. 

  1758. 		}
    1759. 

  1759. 	}
    1760. 

  1760. 	return endpoints
    1761. 

  1761. }
    1762. 

  1762. 

  1763. // @Summary     Get all pending users
    1764. 

  1764. // @Router      /api/users_pending [get]
    1765. 

  1765. // @Tags        Users
    1766. 

  1766. // @Success     200 {array} models.User
    1767. 

  1767. // @Failure     500 {object} models.ErrorResponse
    1768. 

  1768. func getPendingUsers(w http.ResponseWriter, r *http.Request) {
    1769. 

  1769. 	// set header.
    1770. 

  1770. 	w.Header().Set("Content-Type", "application/json")
    1771. 

  1771. 

  1772. 	users, err := logic.ListPendingReturnUsers()
    1773. 

  1773. 	if err != nil {
    1774. 

  1774. 		logger.Log(0, "failed to fetch users: ", err.Error())
    1775. 

  1775. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1776. 

  1776. 		return
    1777. 

  1777. 	}
    1778. 

  1778. 

  1779. 	logic.SortUsers(users[:])
    1780. 

  1780. 	logger.Log(2, r.Header.Get("user"), "fetched pending users")
    1781. 

  1781. 	json.NewEncoder(w).Encode(users)
    1782. 

  1782. }
    1783. 

  1783. 

  1784. // @Summary     Approve a pending user
    1785. 

  1785. // @Router      /api/users_pending/user/{username} [post]
    1786. 

  1786. // @Tags        Users
    1787. 

  1787. // @Param       username path string true "Username of the pending user to approve"
    1788. 

  1788. // @Success     200 {string} string
    1789. 

  1789. // @Failure     500 {object} models.ErrorResponse
    1790. 

  1790. func approvePendingUser(w http.ResponseWriter, r *http.Request) {
    1791. 

  1791. 	// set header.
    1792. 

  1792. 	w.Header().Set("Content-Type", "application/json")
    1793. 

  1793. 	var params = mux.Vars(r)
    1794. 

  1794. 	username := params["username"]
    1795. 

  1795. 	users, err := logic.ListPendingUsers()
    1796. 

  1796. 

  1797. 	if err != nil {
    1798. 

  1798. 		logger.Log(0, "failed to fetch users: ", err.Error())
    1799. 

  1799. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1800. 

  1800. 		return
    1801. 

  1801. 	}
    1802. 

  1802. 	for _, user := range users {
    1803. 

  1803. 		if user.UserName == username {
    1804. 

  1804. 			var newPass, fetchErr = logic.FetchPassValue("")
    1805. 

  1805. 			if fetchErr != nil {
    1806. 

  1806. 				logic.ReturnErrorResponse(w, r, logic.FormatError(fetchErr, "internal"))
    1807. 

  1807. 				return
    1808. 

  1808. 			}
    1809. 

  1809. 			if err = logic.CreateUser(&models.User{
    1810. 

  1810. 				UserName:                   user.UserName,
    1811. 

  1811. 				ExternalIdentityProviderID: user.ExternalIdentityProviderID,
    1812. 

  1812. 				Password:                   newPass,
    1813. 

  1813. 				AuthType:                   user.AuthType,
    1814. 

  1814. 				PlatformRoleID:             models.ServiceUser,
    1815. 

  1815. 			}); err != nil {
    1816. 

  1816. 				logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to create user: %s", err), "internal"))
    1817. 

  1817. 				return
    1818. 

  1818. 			}
    1819. 

  1819. 			err = logic.DeletePendingUser(username)
    1820. 

  1820. 			if err != nil {
    1821. 

  1821. 				logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to delete pending user: %s", err), "internal"))
    1822. 

  1822. 				return
    1823. 

  1823. 			}
    1824. 

  1824. 			break
    1825. 

  1825. 		}
    1826. 

  1826. 	}
    1827. 

  1827. 	logic.LogEvent(&models.Event{
    1828. 

  1828. 		Action: models.Create,
    1829. 

  1829. 		Source: models.Subject{
    1830. 

  1830. 			ID:   r.Header.Get("user"),
    1831. 

  1831. 			Name: r.Header.Get("user"),
    1832. 

  1832. 			Type: models.UserSub,
    1833. 

  1833. 		},
    1834. 

  1834. 		TriggeredBy: r.Header.Get("user"),
    1835. 

  1835. 		Target: models.Subject{
    1836. 

  1836. 			ID:   username,
    1837. 

  1837. 			Name: username,
    1838. 

  1838. 			Type: models.PendingUserSub,
    1839. 

  1839. 		},
    1840. 

  1840. 		Origin: models.Dashboard,
    1841. 

  1841. 	})
    1842. 

  1842. 	logic.ReturnSuccessResponse(w, r, "approved "+username)
    1843. 

  1843. }
    1844. 

  1844. 

  1845. // @Summary     Delete a pending user
    1846. 

  1846. // @Router      /api/users_pending/user/{username} [delete]
    1847. 

  1847. // @Tags        Users
    1848. 

  1848. // @Param       username path string true "Username of the pending user to delete"
    1849. 

  1849. // @Success     200 {string} string
    1850. 

  1850. // @Failure     500 {object} models.ErrorResponse
    1851. 

  1851. func deletePendingUser(w http.ResponseWriter, r *http.Request) {
    1852. 

  1852. 	// set header.
    1853. 

  1853. 	w.Header().Set("Content-Type", "application/json")
    1854. 

  1854. 	var params = mux.Vars(r)
    1855. 

  1855. 	username := params["username"]
    1856. 

  1856. 	users, err := logic.ListPendingReturnUsers()
    1857. 

  1857. 

  1858. 	if err != nil {
    1859. 

  1859. 		logger.Log(0, "failed to fetch users: ", err.Error())
    1860. 

  1860. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1861. 

  1861. 		return
    1862. 

  1862. 	}
    1863. 

  1863. 	for _, user := range users {
    1864. 

  1864. 		if user.UserName == username {
    1865. 

  1865. 			err = logic.DeletePendingUser(username)
    1866. 

  1866. 			if err != nil {
    1867. 

  1867. 				logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to delete pending user: %s", err), "internal"))
    1868. 

  1868. 				return
    1869. 

  1869. 			}
    1870. 

  1870. 			break
    1871. 

  1871. 		}
    1872. 

  1872. 	}
    1873. 

  1873. 	logic.LogEvent(&models.Event{
    1874. 

  1874. 		Action: models.Delete,
    1875. 

  1875. 		Source: models.Subject{
    1876. 

  1876. 			ID:   r.Header.Get("user"),
    1877. 

  1877. 			Name: r.Header.Get("user"),
    1878. 

  1878. 			Type: models.UserSub,
    1879. 

  1879. 		},
    1880. 

  1880. 		TriggeredBy: r.Header.Get("user"),
    1881. 

  1881. 		Target: models.Subject{
    1882. 

  1882. 			ID:   username,
    1883. 

  1883. 			Name: username,
    1884. 

  1884. 			Type: models.PendingUserSub,
    1885. 

  1885. 		},
    1886. 

  1886. 		Origin: models.Dashboard,
    1887. 

  1887. 	})
    1888. 

  1888. 	logic.ReturnSuccessResponse(w, r, "deleted pending "+username)
    1889. 

  1889. }
    1890. 

  1890. 

  1891. // @Summary     Delete all pending users
    1892. 

  1892. // @Router      /api/users_pending [delete]
    1893. 

  1893. // @Tags        Users
    1894. 

  1894. // @Success     200 {string} string
    1895. 

  1895. // @Failure     500 {object} models.ErrorResponse
    1896. 

  1896. func deleteAllPendingUsers(w http.ResponseWriter, r *http.Request) {
    1897. 

  1897. 	// set header.
    1898. 

  1898. 	err := database.DeleteAllRecords(database.PENDING_USERS_TABLE_NAME)
    1899. 

  1899. 	if err != nil {
    1900. 

  1900. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("failed to delete all pending users "+err.Error()), "internal"))
    1901. 

  1901. 		return
    1902. 

  1902. 	}
    1903. 

  1903. 	logic.LogEvent(&models.Event{
    1904. 

  1904. 		Action: models.DeleteAll,
    1905. 

  1905. 		Source: models.Subject{
    1906. 

  1906. 			ID:   r.Header.Get("user"),
    1907. 

  1907. 			Name: r.Header.Get("user"),
    1908. 

  1908. 			Type: models.UserSub,
    1909. 

  1909. 		},
    1910. 

  1910. 		TriggeredBy: r.Header.Get("user"),
    1911. 

  1911. 		Target: models.Subject{
    1912. 

  1912. 			ID:   r.Header.Get("user"),
    1913. 

  1913. 			Name: r.Header.Get("user"),
    1914. 

  1914. 			Type: models.PendingUserSub,
    1915. 

  1915. 		},
    1916. 

  1916. 		Origin: models.Dashboard,
    1917. 

  1917. 	})
    1918. 

  1918. 	logic.ReturnSuccessResponse(w, r, "cleared all pending users")
    1919. 

  1919. }
    1920. 

  1920. 

  1921. // @Summary     Sync users and groups from idp.
    1922. 

  1922. // @Router      /api/idp/sync [post]
    1923. 

  1923. // @Tags        IDP
    1924. 

  1924. // @Success     200 {object} models.SuccessResponse
    1925. 

  1925. func syncIDP(w http.ResponseWriter, r *http.Request) {
    1926. 

  1926. 	go func() {
    1927. 

  1927. 		err := proAuth.SyncFromIDP()
    1928. 

  1928. 		if err != nil {
    1929. 

  1929. 			logger.Log(0, "failed to sync from idp: ", err.Error())
    1930. 

  1930. 		} else {
    1931. 

  1931. 			logger.Log(0, "sync from idp complete")
    1932. 

  1932. 		}
    1933. 

  1933. 	}()
    1934. 

  1934. 

  1935. 	logic.ReturnSuccessResponse(w, r, "starting sync from idp")
    1936. 

  1936. }
    1937. 

  1937. 

  1938. // @Summary     Test IDP Sync Credentials.
    1939. 

  1939. // @Router      /api/idp/sync/test [post]
    1940. 

  1940. // @Tags        IDP
    1941. 

  1941. // @Success     200 {object} models.SuccessResponse
    1942. 

  1942. // @Failure     400 {object} models.ErrorResponse
    1943. 

  1943. func testIDPSync(w http.ResponseWriter, r *http.Request) {
    1944. 

  1944. 	var req models.IDPSyncTestRequest
    1945. 

  1945. 	err := json.NewDecoder(r.Body).Decode(&req)
    1946. 

  1946. 	if err != nil {
    1947. 

  1947. 		err = fmt.Errorf("failed to decode request body: %v", err)
    1948. 

  1948. 		logger.Log(0, err.Error())
    1949. 

  1949. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1950. 

  1950. 		return
    1951. 

  1951. 	}
    1952. 

  1952. 

  1953. 	var idpClient idp.Client
    1954. 

  1954. 	switch req.AuthProvider {
    1955. 

  1955. 	case "google":
    1956. 

  1956. 		idpClient, err = google.NewGoogleWorkspaceClient(req.GoogleAdminEmail, req.GoogleSACredsJson)
    1957. 

  1957. 		if err != nil {
    1958. 

  1958. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1959. 

  1959. 			return
    1960. 

  1960. 		}
    1961. 

  1961. 	case "azure-ad":
    1962. 

  1962. 		idpClient = azure.NewAzureEntraIDClient(req.ClientID, req.ClientSecret, req.AzureTenantID)
    1963. 

  1963. 	case "okta":
    1964. 

  1964. 		idpClient, err = okta.NewOktaClient(req.OktaOrgURL, req.OktaAPIToken)
    1965. 

  1965. 		if err != nil {
    1966. 

  1966. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1967. 

  1967. 			return
    1968. 

  1968. 		}
    1969. 

  1969. 	default:
    1970. 

  1970. 		err = fmt.Errorf("invalid auth provider: %s", req.AuthProvider)
    1971. 

  1971. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1972. 

  1972. 		return
    1973. 

  1973. 	}
    1974. 

  1974. 

  1975. 	err = idpClient.Verify()
    1976. 

  1976. 	if err != nil {
    1977. 

  1977. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1978. 

  1978. 		return
    1979. 

  1979. 	}
    1980. 

  1980. 

  1981. 	logic.ReturnSuccessResponse(w, r, "idp sync test successful")
    1982. 

  1982. }
    1983. 

  1983. 

  1984. // @Summary     Gets idp sync status.
    1985. 

  1985. // @Router      /api/idp/sync/status [get]
    1986. 

  1986. // @Tags        IDP
    1987. 

  1987. // @Success     200 {object} models.SuccessResponse
    1988. 

  1988. func getIDPSyncStatus(w http.ResponseWriter, r *http.Request) {
    1989. 

  1989. 	logic.ReturnSuccessResponseWithJson(w, r, proAuth.GetIDPSyncStatus(), "idp sync status retrieved")
    1990. 

  1990. }
    1991. 

  1991. 

  1992. // @Summary     Remove idp integration.
    1993. 

  1993. // @Router      /api/idp [delete]
    1994. 

  1994. // @Tags        IDP
    1995. 

  1995. // @Success     200 {object} models.SuccessResponse
    1996. 

  1996. // @Failure     500 {object} models.ErrorResponse
    1997. 

  1997. func removeIDPIntegration(w http.ResponseWriter, r *http.Request) {
    1998. 

  1998. 	superAdmin, err := logic.GetSuperAdmin()
    1999. 

  1999. 	if err != nil {
    2000. 

  2000. 		logic.ReturnErrorResponse(
    2001. 

  2001. 			w,
    2002. 

  2002. 			r,
    2003. 

  2003. 			logic.FormatError(fmt.Errorf("failed to get superadmin: %v", err), "internal"),
    2004. 

  2004. 		)
    2005. 

  2005. 		return
    2006. 

  2006. 	}
    2007. 

  2007. 

  2008. 	if superAdmin.AuthType == models.OAuth {
    2009. 

  2009. 		err := fmt.Errorf(
    2010. 

  2010. 			"cannot remove IdP integration because an OAuth user has the super-admin role; transfer the super-admin role to another user first",
    2011. 

  2011. 		)
    2012. 

  2012. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    2013. 

  2013. 		return
    2014. 

  2014. 	}
    2015. 

  2015. 

  2016. 	settings := logic.GetServerSettings()
    2017. 

  2017. 	settings.AuthProvider = ""
    2018. 

  2018. 	settings.OIDCIssuer = ""
    2019. 

  2019. 	settings.ClientID = ""
    2020. 

  2020. 	settings.ClientSecret = ""
    2021. 

  2021. 	settings.SyncEnabled = false
    2022. 

  2022. 	settings.GoogleAdminEmail = ""
    2023. 

  2023. 	settings.GoogleSACredsJson = ""
    2024. 

  2024. 	settings.AzureTenant = ""
    2025. 

  2025. 	settings.UserFilters = nil
    2026. 

  2026. 	settings.GroupFilters = nil
    2027. 

  2027. 

  2028. 	err = logic.UpsertServerSettings(settings)
    2029. 

  2029. 	if err != nil {
    2030. 

  2030. 		logic.ReturnErrorResponse(
    2031. 

  2031. 			w,
    2032. 

  2032. 			r,
    2033. 

  2033. 			logic.FormatError(fmt.Errorf("failed to remove idp integration: %v", err), "internal"),
    2034. 

  2034. 		)
    2035. 

  2035. 		return
    2036. 

  2036. 	}
    2037. 

  2037. 

  2038. 	proAuth.ResetAuthProvider()
    2039. 

  2039. 	proAuth.ResetIDPSyncHook()
    2040. 

  2040. 

  2041. 	go func() {
    2042. 

  2042. 		err := proAuth.SyncFromIDP()
    2043. 

  2043. 		if err != nil {
    2044. 

  2044. 			logger.Log(0, "failed to sync from idp: ", err.Error())
    2045. 

  2045. 		} else {
    2046. 

  2046. 			logger.Log(0, "sync from idp complete")
    2047. 

  2047. 		}
    2048. 

  2048. 	}()
    2049. 

  2049. 

  2050. 	logic.ReturnSuccessResponse(w, r, "removed idp integration successfully")
    2051. 

  2051. }
    2052.