Inicio Explorar Axuda
Iniciar sesión
golang
/
netmaker
réplica de https://github.com/gravitl/netmaker
2
0
Fork 0
Ficheiros Incidencias 0 Wiki
Rama: develop
Ramas Etiquetas
netmaker
/
pro
/
controllers
/
users.go

users.go 63 KB
Permalink Histórico Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021 
  1. package controllers
    2. 

  2. 

  3. import (
    4. 

  4. 	"context"
    5. 

  5. 	"encoding/json"
    6. 

  6. 	"errors"
    7. 

  7. 	"fmt"
    8. 

  8. 	"net/http"
    9. 

  9. 	"net/url"
    10. 

  10. 	"strings"
    11. 

  11. 	"time"
    12. 

  12. 

  13. 	"github.com/google/uuid"
    14. 

  14. 	"github.com/gorilla/mux"
    15. 

  15. 	"github.com/gravitl/netmaker/database"
    16. 

  16. 	"github.com/gravitl/netmaker/logger"
    17. 

  17. 	"github.com/gravitl/netmaker/logic"
    18. 

  18. 	"github.com/gravitl/netmaker/models"
    19. 

  19. 	"github.com/gravitl/netmaker/mq"
    20. 

  20. 	proAuth "github.com/gravitl/netmaker/pro/auth"
    21. 

  21. 	"github.com/gravitl/netmaker/pro/email"
    22. 

  22. 	"github.com/gravitl/netmaker/pro/idp"
    23. 

  23. 	"github.com/gravitl/netmaker/pro/idp/azure"
    24. 

  24. 	"github.com/gravitl/netmaker/pro/idp/google"
    25. 

  25. 	"github.com/gravitl/netmaker/pro/idp/okta"
    26. 

  26. 	proLogic "github.com/gravitl/netmaker/pro/logic"
    27. 

  27. 	"github.com/gravitl/netmaker/servercfg"
    28. 

  28. 	"github.com/gravitl/netmaker/utils"
    29. 

  29. 	"golang.org/x/exp/slog"
    30. 

  30. )
    31. 

  31. 

  32. func UserHandlers(r *mux.Router) {
    33. 

  33. 

  34. 	r.HandleFunc("/api/oauth/login", proAuth.HandleAuthLogin).Methods(http.MethodGet)
    35. 

  35. 	r.HandleFunc("/api/oauth/callback", proAuth.HandleAuthCallback).Methods(http.MethodGet)
    36. 

  36. 	r.HandleFunc("/api/oauth/headless", proAuth.HandleHeadlessSSO)
    37. 

  37. 	r.HandleFunc("/api/oauth/register/{regKey}", proAuth.RegisterHostSSO).Methods(http.MethodGet)
    38. 

  38. 

  39. 	// User Role Handlers
    40. 

  40. 	r.HandleFunc("/api/v1/users/role", logic.SecurityCheck(true, http.HandlerFunc(getRole))).Methods(http.MethodGet)
    41. 

  41. 	r.HandleFunc("/api/v1/users/role", logic.SecurityCheck(true, http.HandlerFunc(createRole))).Methods(http.MethodPost)
    42. 

  42. 	r.HandleFunc("/api/v1/users/role", logic.SecurityCheck(true, http.HandlerFunc(updateRole))).Methods(http.MethodPut)
    43. 

  43. 	r.HandleFunc("/api/v1/users/role", logic.SecurityCheck(true, http.HandlerFunc(deleteRole))).Methods(http.MethodDelete)
    44. 

  44. 

  45. 	// User Group Handlers
    46. 

  46. 	r.HandleFunc("/api/v1/users/groups", logic.SecurityCheck(true, http.HandlerFunc(listUserGroups))).Methods(http.MethodGet)
    47. 

  47. 	r.HandleFunc("/api/v1/users/group", logic.SecurityCheck(true, http.HandlerFunc(getUserGroup))).Methods(http.MethodGet)
    48. 

  48. 	r.HandleFunc("/api/v1/users/group", logic.SecurityCheck(true, http.HandlerFunc(createUserGroup))).Methods(http.MethodPost)
    49. 

  49. 	r.HandleFunc("/api/v1/users/group", logic.SecurityCheck(true, http.HandlerFunc(updateUserGroup))).Methods(http.MethodPut)
    50. 

  50. 	r.HandleFunc("/api/v1/users/group", logic.SecurityCheck(true, http.HandlerFunc(deleteUserGroup))).Methods(http.MethodDelete)
    51. 

  51. 	r.HandleFunc("/api/v1/users/add_network_user", logic.SecurityCheck(true, http.HandlerFunc(addUsertoNetwork))).Methods(http.MethodPut)
    52. 

  52. 	r.HandleFunc("/api/v1/users/remove_network_user", logic.SecurityCheck(true, http.HandlerFunc(removeUserfromNetwork))).Methods(http.MethodPut)
    53. 

  53. 	r.HandleFunc("/api/v1/users/unassigned_network_users", logic.SecurityCheck(true, http.HandlerFunc(listUnAssignedNetUsers))).Methods(http.MethodGet)
    54. 

  54. 

  55. 	// User Invite Handlers
    56. 

  56. 	r.HandleFunc("/api/v1/users/invite", userInviteVerify).Methods(http.MethodGet)
    57. 

  57. 	r.HandleFunc("/api/v1/users/invite-signup", userInviteSignUp).Methods(http.MethodPost)
    58. 

  58. 	r.HandleFunc("/api/v1/users/invite", logic.SecurityCheck(true, http.HandlerFunc(inviteUsers))).Methods(http.MethodPost)
    59. 

  59. 	r.HandleFunc("/api/v1/users/invites", logic.SecurityCheck(true, http.HandlerFunc(listUserInvites))).Methods(http.MethodGet)
    60. 

  60. 	r.HandleFunc("/api/v1/users/invite", logic.SecurityCheck(true, http.HandlerFunc(deleteUserInvite))).Methods(http.MethodDelete)
    61. 

  61. 	r.HandleFunc("/api/v1/users/invites", logic.SecurityCheck(true, http.HandlerFunc(deleteAllUserInvites))).Methods(http.MethodDelete)
    62. 

  62. 

  63. 	r.HandleFunc("/api/users_pending", logic.SecurityCheck(true, http.HandlerFunc(getPendingUsers))).Methods(http.MethodGet)
    64. 

  64. 	r.HandleFunc("/api/users_pending", logic.SecurityCheck(true, http.HandlerFunc(deleteAllPendingUsers))).Methods(http.MethodDelete)
    65. 

  65. 	r.HandleFunc("/api/users_pending/user/{username}", logic.SecurityCheck(true, http.HandlerFunc(deletePendingUser))).Methods(http.MethodDelete)
    66. 

  66. 	r.HandleFunc("/api/users_pending/user/{username}", logic.SecurityCheck(true, http.HandlerFunc(approvePendingUser))).Methods(http.MethodPost)
    67. 

  67. 

  68. 	r.HandleFunc("/api/users/{username}/remote_access_gw/{remote_access_gateway_id}", logic.SecurityCheck(true, http.HandlerFunc(attachUserToRemoteAccessGw))).Methods(http.MethodPost)
    69. 

  69. 	r.HandleFunc("/api/users/{username}/remote_access_gw/{remote_access_gateway_id}", logic.SecurityCheck(true, http.HandlerFunc(removeUserFromRemoteAccessGW))).Methods(http.MethodDelete)
    70. 

  70. 	r.HandleFunc("/api/users/{username}/remote_access_gw", logic.SecurityCheck(false, logic.ContinueIfUserMatch(http.HandlerFunc(getUserRemoteAccessGwsV1)))).Methods(http.MethodGet)
    71. 

  71. 	r.HandleFunc("/api/users/ingress/{ingress_id}", logic.SecurityCheck(true, http.HandlerFunc(ingressGatewayUsers))).Methods(http.MethodGet)
    72. 

  72. 

  73. 	r.HandleFunc("/api/idp/sync", logic.SecurityCheck(true, http.HandlerFunc(syncIDP))).Methods(http.MethodPost)
    74. 

  74. 	r.HandleFunc("/api/idp/sync/test", logic.SecurityCheck(true, http.HandlerFunc(testIDPSync))).Methods(http.MethodPost)
    75. 

  75. 	r.HandleFunc("/api/idp/sync/status", logic.SecurityCheck(true, http.HandlerFunc(getIDPSyncStatus))).Methods(http.MethodGet)
    76. 

  76. 	r.HandleFunc("/api/idp", logic.SecurityCheck(true, http.HandlerFunc(removeIDPIntegration))).Methods(http.MethodDelete)
    77. 

  77. }
    78. 

  78. 

  79. // swagger:route POST /api/v1/users/invite-signup user userInviteSignUp
    80. 

  80. //
    81. 

  81. // user signup via invite.
    82. 

  82. //
    83. 

  83. //	Schemes: https
    84. 

  84. //
    85. 

  85. //	Responses:
    86. 

  86. //		200: ReturnSuccessResponse
    87. 

  87. func userInviteSignUp(w http.ResponseWriter, r *http.Request) {
    88. 

  88. 	email := r.URL.Query().Get("email")
    89. 

  89. 	code := r.URL.Query().Get("invite_code")
    90. 

  90. 	in, err := logic.GetUserInvite(email)
    91. 

  91. 	if err != nil {
    92. 

  92. 		logger.Log(0, "failed to fetch users: ", err.Error())
    93. 

  93. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    94. 

  94. 		return
    95. 

  95. 	}
    96. 

  96. 	if code != in.InviteCode {
    97. 

  97. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("invalid invite code"), "badrequest"))
    98. 

  98. 		return
    99. 

  99. 	}
    100. 

  100. 	// check if user already exists
    101. 

  101. 	_, err = logic.GetUser(email)
    102. 

  102. 	if err == nil {
    103. 

  103. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("user already exists"), "badrequest"))
    104. 

  104. 		return
    105. 

  105. 	}
    106. 

  106. 	var user models.User
    107. 

  107. 	err = json.NewDecoder(r.Body).Decode(&user)
    108. 

  108. 	if err != nil {
    109. 

  109. 		logger.Log(0, user.UserName, "error decoding request body: ",
    110. 

  110. 			err.Error())
    111. 

  111. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    112. 

  112. 		return
    113. 

  113. 	}
    114. 

  114. 	if user.UserName != email {
    115. 

  115. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("username not matching with invite"), "badrequest"))
    116. 

  116. 		return
    117. 

  117. 	}
    118. 

  118. 	if user.Password == "" {
    119. 

  119. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("password cannot be empty"), "badrequest"))
    120. 

  120. 		return
    121. 

  121. 	}
    122. 

  122. 

  123. 	user.UserGroups = in.UserGroups
    124. 

  124. 	user.PlatformRoleID = models.UserRoleID(in.PlatformRoleID)
    125. 

  125. 	if user.PlatformRoleID == "" {
    126. 

  126. 		user.PlatformRoleID = models.ServiceUser
    127. 

  127. 	}
    128. 

  128. 	user.NetworkRoles = in.NetworkRoles
    129. 

  129. 	err = logic.CreateUser(&user)
    130. 

  130. 	if err != nil {
    131. 

  131. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    132. 

  132. 		return
    133. 

  133. 	}
    134. 

  134. 	// delete invite
    135. 

  135. 	logic.DeleteUserInvite(email)
    136. 

  136. 	logic.DeletePendingUser(email)
    137. 

  137. 	w.Header().Set("Access-Control-Allow-Origin", "*")
    138. 

  138. 	logic.ReturnSuccessResponse(w, r, "created user successfully "+email)
    139. 

  139. }
    140. 

  140. 

  141. // swagger:route GET /api/v1/users/invite user userInviteVerify
    142. 

  142. //
    143. 

  143. // verfies user invite.
    144. 

  144. //
    145. 

  145. //	Schemes: https
    146. 

  146. //
    147. 

  147. //	Responses:
    148. 

  148. //		200: ReturnSuccessResponse
    149. 

  149. func userInviteVerify(w http.ResponseWriter, r *http.Request) {
    150. 

  150. 	email := r.URL.Query().Get("email")
    151. 

  151. 	code := r.URL.Query().Get("invite_code")
    152. 

  152. 	err := logic.ValidateAndApproveUserInvite(email, code)
    153. 

  153. 	if err != nil {
    154. 

  154. 		logger.Log(0, "failed to fetch users: ", err.Error())
    155. 

  155. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    156. 

  156. 		return
    157. 

  157. 	}
    158. 

  158. 	logic.ReturnSuccessResponse(w, r, "invite is valid")
    159. 

  159. }
    160. 

  160. 

  161. // swagger:route POST /api/v1/users/invite user inviteUsers
    162. 

  162. //
    163. 

  163. // invite users.
    164. 

  164. //
    165. 

  165. //			Schemes: https
    166. 

  166. //
    167. 

  167. //			Security:
    168. 

  168. //	  		oauth
    169. 

  169. //
    170. 

  170. //			Responses:
    171. 

  171. //				200: userBodyResponse
    172. 

  172. func inviteUsers(w http.ResponseWriter, r *http.Request) {
    173. 

  173. 	var inviteReq models.InviteUsersReq
    174. 

  174. 	err := json.NewDecoder(r.Body).Decode(&inviteReq)
    175. 

  175. 	if err != nil {
    176. 

  176. 		slog.Error("error decoding request body", "error",
    177. 

  177. 			err.Error())
    178. 

  178. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    179. 

  179. 		return
    180. 

  180. 	}
    181. 

  181. 	callerUserName := r.Header.Get("user")
    182. 

  182. 	if r.Header.Get("ismaster") != "yes" {
    183. 

  183. 		caller, err := logic.GetUser(callerUserName)
    184. 

  184. 		if err != nil {
    185. 

  185. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "notfound"))
    186. 

  186. 			return
    187. 

  187. 		}
    188. 

  188. 		if inviteReq.PlatformRoleID == models.SuperAdminRole.String() {
    189. 

  189. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("super admin cannot be invited"), "badrequest"))
    190. 

  190. 			return
    191. 

  191. 		}
    192. 

  192. 		if inviteReq.PlatformRoleID == "" {
    193. 

  193. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("platform role id cannot be empty"), "badrequest"))
    194. 

  194. 			return
    195. 

  195. 		}
    196. 

  196. 		if (inviteReq.PlatformRoleID == models.AdminRole.String() ||
    197. 

  197. 			inviteReq.PlatformRoleID == models.SuperAdminRole.String()) && caller.PlatformRoleID != models.SuperAdminRole {
    198. 

  198. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("only superadmin can invite admin users"), "forbidden"))
    199. 

  199. 			return
    200. 

  200. 		}
    201. 

  201. 	}
    202. 

  202. 

  203. 	//validate Req
    204. 

  204. 	err = proLogic.IsGroupsValid(inviteReq.UserGroups)
    205. 

  205. 	if err != nil {
    206. 

  206. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    207. 

  207. 		return
    208. 

  208. 	}
    209. 

  209. 	err = proLogic.IsNetworkRolesValid(inviteReq.NetworkRoles)
    210. 

  210. 	if err != nil {
    211. 

  211. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    212. 

  212. 		return
    213. 

  213. 	}
    214. 

  214. 

  215. 	// check platform role
    216. 

  216. 	_, err = logic.GetRole(models.UserRoleID(inviteReq.PlatformRoleID))
    217. 

  217. 	if err != nil {
    218. 

  218. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    219. 

  219. 		return
    220. 

  220. 	}
    221. 

  221. 	for _, inviteeEmail := range inviteReq.UserEmails {
    222. 

  222. 		inviteeEmail = strings.ToLower(inviteeEmail)
    223. 

  223. 		// check if user with email exists, then ignore
    224. 

  224. 		if !email.IsValid(inviteeEmail) {
    225. 

  225. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("invalid email "+inviteeEmail), "badrequest"))
    226. 

  226. 			return
    227. 

  227. 		}
    228. 

  228. 		_, err := logic.GetUser(inviteeEmail)
    229. 

  229. 		if err == nil {
    230. 

  230. 			// user exists already, so ignore
    231. 

  231. 			continue
    232. 

  232. 		}
    233. 

  233. 		invite := models.UserInvite{
    234. 

  234. 			Email:          inviteeEmail,
    235. 

  235. 			PlatformRoleID: inviteReq.PlatformRoleID,
    236. 

  236. 			UserGroups:     inviteReq.UserGroups,
    237. 

  237. 			NetworkRoles:   inviteReq.NetworkRoles,
    238. 

  238. 			InviteCode:     logic.RandomString(8),
    239. 

  239. 		}
    240. 

  240. 		frontendURL := strings.TrimSuffix(servercfg.GetFrontendURL(), "/")
    241. 

  241. 		if frontendURL == "" {
    242. 

  242. 			frontendURL = fmt.Sprintf("https://dashboard.%s", servercfg.GetNmBaseDomain())
    243. 

  243. 		}
    244. 

  244. 		u, err := url.Parse(fmt.Sprintf("%s/invite?email=%s&invite_code=%s",
    245. 

  245. 			frontendURL, url.QueryEscape(invite.Email), url.QueryEscape(invite.InviteCode)))
    246. 

  246. 		if err != nil {
    247. 

  247. 			slog.Error("failed to parse to invite url", "error", err)
    248. 

  248. 			return
    249. 

  249. 		}
    250. 

  250. 		if servercfg.DeployedByOperator() {
    251. 

  251. 			u, err = url.Parse(fmt.Sprintf("%s/invite?tenant_id=%s&email=%s&invite_code=%s",
    252. 

  252. 				proLogic.GetAccountsUIHost(), url.QueryEscape(servercfg.GetNetmakerTenantID()), url.QueryEscape(invite.Email), url.QueryEscape(invite.InviteCode)))
    253. 

  253. 			if err != nil {
    254. 

  254. 				slog.Error("failed to parse to invite url", "error", err)
    255. 

  255. 				return
    256. 

  256. 			}
    257. 

  257. 		}
    258. 

  258. 		invite.InviteURL = u.String()
    259. 

  259. 		err = logic.InsertUserInvite(invite)
    260. 

  260. 		if err != nil {
    261. 

  261. 			slog.Error("failed to insert invite for user", "email", invite.Email, "error", err)
    262. 

  262. 		}
    263. 

  263. 		logic.LogEvent(&models.Event{
    264. 

  264. 			Action: models.Create,
    265. 

  265. 			Source: models.Subject{
    266. 

  266. 				ID:   callerUserName,
    267. 

  267. 				Name: callerUserName,
    268. 

  268. 				Type: models.UserSub,
    269. 

  269. 				Info: invite,
    270. 

  270. 			},
    271. 

  271. 			TriggeredBy: callerUserName,
    272. 

  272. 			Target: models.Subject{
    273. 

  273. 				ID:   inviteeEmail,
    274. 

  274. 				Name: inviteeEmail,
    275. 

  275. 				Type: models.UserInviteSub,
    276. 

  276. 			},
    277. 

  277. 			Origin: models.Dashboard,
    278. 

  278. 		})
    279. 

  279. 		// notify user with magic link
    280. 

  280. 		go func(invite models.UserInvite) {
    281. 

  281. 			// Set E-Mail body. You can set plain text or html with text/html
    282. 

  282. 

  283. 			e := email.UserInvitedMail{
    284. 

  284. 				BodyBuilder:    &email.EmailBodyBuilderWithH1HeadlineAndImage{},
    285. 

  285. 				InviteURL:      invite.InviteURL,
    286. 

  286. 				PlatformRoleID: invite.PlatformRoleID,
    287. 

  287. 			}
    288. 

  288. 			n := email.Notification{
    289. 

  289. 				RecipientMail: invite.Email,
    290. 

  290. 			}
    291. 

  291. 			err = email.GetClient().SendEmail(context.Background(), n, e)
    292. 

  292. 			if err != nil {
    293. 

  293. 				slog.Error("failed to send email invite", "user", invite.Email, "error", err)
    294. 

  294. 			}
    295. 

  295. 		}(invite)
    296. 

  296. 	}
    297. 

  297. 

  298. 	logic.ReturnSuccessResponse(w, r, "triggered user invites")
    299. 

  299. }
    300. 

  300. 

  301. // swagger:route GET /api/v1/users/invites user listUserInvites
    302. 

  302. //
    303. 

  303. // lists all pending invited users.
    304. 

  304. //
    305. 

  305. //			Schemes: https
    306. 

  306. //
    307. 

  307. //			Security:
    308. 

  308. //	  		oauth
    309. 

  309. //
    310. 

  310. //			Responses:
    311. 

  311. //				200: ReturnSuccessResponseWithJson
    312. 

  312. func listUserInvites(w http.ResponseWriter, r *http.Request) {
    313. 

  313. 	usersInvites, err := logic.ListUserInvites()
    314. 

  314. 	if err != nil {
    315. 

  315. 		logger.Log(0, "failed to fetch users: ", err.Error())
    316. 

  316. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    317. 

  317. 		return
    318. 

  318. 	}
    319. 

  319. 	logic.ReturnSuccessResponseWithJson(w, r, usersInvites, "fetched pending user invites")
    320. 

  320. }
    321. 

  321. 

  322. // swagger:route DELETE /api/v1/users/invite user deleteUserInvite
    323. 

  323. //
    324. 

  324. // delete pending invite.
    325. 

  325. //
    326. 

  326. //			Schemes: https
    327. 

  327. //
    328. 

  328. //			Security:
    329. 

  329. //	  		oauth
    330. 

  330. //
    331. 

  331. //			Responses:
    332. 

  332. //				200: ReturnSuccessResponse
    333. 

  333. func deleteUserInvite(w http.ResponseWriter, r *http.Request) {
    334. 

  334. 	email := r.URL.Query().Get("invitee_email")
    335. 

  335. 	err := logic.DeleteUserInvite(email)
    336. 

  336. 	if err != nil {
    337. 

  337. 		logger.Log(0, "failed to delete user invite: ", email, err.Error())
    338. 

  338. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    339. 

  339. 		return
    340. 

  340. 	}
    341. 

  341. 	logic.LogEvent(&models.Event{
    342. 

  342. 		Action: models.Delete,
    343. 

  343. 		Source: models.Subject{
    344. 

  344. 			ID:   r.Header.Get("user"),
    345. 

  345. 			Name: r.Header.Get("user"),
    346. 

  346. 			Type: models.UserSub,
    347. 

  347. 		},
    348. 

  348. 		TriggeredBy: r.Header.Get("user"),
    349. 

  349. 		Target: models.Subject{
    350. 

  350. 			ID:   email,
    351. 

  351. 			Name: email,
    352. 

  352. 			Type: models.UserInviteSub,
    353. 

  353. 		},
    354. 

  354. 		Origin: models.Dashboard,
    355. 

  355. 	})
    356. 

  356. 	logic.ReturnSuccessResponse(w, r, "deleted user invite")
    357. 

  357. }
    358. 

  358. 

  359. // swagger:route DELETE /api/v1/users/invites user deleteAllUserInvites
    360. 

  360. //
    361. 

  361. // deletes all pending invites.
    362. 

  362. //
    363. 

  363. //			Schemes: https
    364. 

  364. //
    365. 

  365. //			Security:
    366. 

  366. //	  		oauth
    367. 

  367. //
    368. 

  368. //			Responses:
    369. 

  369. //				200: ReturnSuccessResponse
    370. 

  370. func deleteAllUserInvites(w http.ResponseWriter, r *http.Request) {
    371. 

  371. 	err := database.DeleteAllRecords(database.USER_INVITES_TABLE_NAME)
    372. 

  372. 	if err != nil {
    373. 

  373. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("failed to delete all pending user invites "+err.Error()), "internal"))
    374. 

  374. 		return
    375. 

  375. 	}
    376. 

  376. 	logic.LogEvent(&models.Event{
    377. 

  377. 		Action: models.DeleteAll,
    378. 

  378. 		Source: models.Subject{
    379. 

  379. 			ID:   r.Header.Get("user"),
    380. 

  380. 			Name: r.Header.Get("user"),
    381. 

  381. 			Type: models.UserSub,
    382. 

  382. 		},
    383. 

  383. 		TriggeredBy: r.Header.Get("user"),
    384. 

  384. 		Target: models.Subject{
    385. 

  385. 			ID:   "All Invites",
    386. 

  386. 			Name: "All Invites",
    387. 

  387. 			Type: models.UserInviteSub,
    388. 

  388. 		},
    389. 

  389. 		Origin: models.Dashboard,
    390. 

  390. 	})
    391. 

  391. 	logic.ReturnSuccessResponse(w, r, "cleared all pending user invites")
    392. 

  392. }
    393. 

  393. 

  394. // swagger:route GET /api/v1/user/groups user listUserGroups
    395. 

  395. //
    396. 

  396. // Get all user groups.
    397. 

  397. //
    398. 

  398. //			Schemes: https
    399. 

  399. //
    400. 

  400. //			Security:
    401. 

  401. //	  		oauth
    402. 

  402. //
    403. 

  403. //			Responses:
    404. 

  404. //				200: userBodyResponse
    405. 

  405. func listUserGroups(w http.ResponseWriter, r *http.Request) {
    406. 

  406. 	groups, err := proLogic.ListUserGroups()
    407. 

  407. 	if err != nil {
    408. 

  408. 		logic.ReturnErrorResponse(w, r, models.ErrorResponse{
    409. 

  409. 			Code:    http.StatusInternalServerError,
    410. 

  410. 			Message: err.Error(),
    411. 

  411. 		})
    412. 

  412. 		return
    413. 

  413. 	}
    414. 

  414. 	logic.ReturnSuccessResponseWithJson(w, r, groups, "successfully fetched user groups")
    415. 

  415. }
    416. 

  416. 

  417. // swagger:route GET /api/v1/user/group user getUserGroup
    418. 

  418. //
    419. 

  419. // Get user group.
    420. 

  420. //
    421. 

  421. //			Schemes: https
    422. 

  422. //
    423. 

  423. //			Security:
    424. 

  424. //	  		oauth
    425. 

  425. //
    426. 

  426. //			Responses:
    427. 

  427. //				200: userBodyResponse
    428. 

  428. func getUserGroup(w http.ResponseWriter, r *http.Request) {
    429. 

  429. 

  430. 	gid := r.URL.Query().Get("group_id")
    431. 

  431. 	if gid == "" {
    432. 

  432. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("group id is required"), "badrequest"))
    433. 

  433. 		return
    434. 

  434. 	}
    435. 

  435. 	group, err := proLogic.GetUserGroup(models.UserGroupID(gid))
    436. 

  436. 	if err != nil {
    437. 

  437. 		logic.ReturnErrorResponse(w, r, models.ErrorResponse{
    438. 

  438. 			Code:    http.StatusInternalServerError,
    439. 

  439. 			Message: err.Error(),
    440. 

  440. 		})
    441. 

  441. 		return
    442. 

  442. 	}
    443. 

  443. 	logic.ReturnSuccessResponseWithJson(w, r, group, "successfully fetched user group")
    444. 

  444. }
    445. 

  445. 

  446. // swagger:route POST /api/v1/user/group user createUserGroup
    447. 

  447. //
    448. 

  448. // Create user groups.
    449. 

  449. //
    450. 

  450. //			Schemes: https
    451. 

  451. //
    452. 

  452. //			Security:
    453. 

  453. //	  		oauth
    454. 

  454. //
    455. 

  455. //			Responses:
    456. 

  456. //				200: userBodyResponse
    457. 

  457. func createUserGroup(w http.ResponseWriter, r *http.Request) {
    458. 

  458. 	var userGroupReq models.CreateGroupReq
    459. 

  459. 	err := json.NewDecoder(r.Body).Decode(&userGroupReq)
    460. 

  460. 	if err != nil {
    461. 

  461. 		slog.Error("error decoding request body", "error",
    462. 

  462. 			err.Error())
    463. 

  463. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    464. 

  464. 		return
    465. 

  465. 	}
    466. 

  466. 	err = proLogic.ValidateCreateGroupReq(userGroupReq.Group)
    467. 

  467. 	if err != nil {
    468. 

  468. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    469. 

  469. 		return
    470. 

  470. 	}
    471. 

  471. 	err = proLogic.CreateUserGroup(&userGroupReq.Group)
    472. 

  472. 	if err != nil {
    473. 

  473. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    474. 

  474. 		return
    475. 

  475. 	}
    476. 

  476. 

  477. 	for _, userID := range userGroupReq.Members {
    478. 

  478. 		user, err := logic.GetUser(userID)
    479. 

  479. 		if err != nil {
    480. 

  480. 			continue
    481. 

  481. 		}
    482. 

  482. 		if len(user.UserGroups) == 0 {
    483. 

  483. 			user.UserGroups = make(map[models.UserGroupID]struct{})
    484. 

  484. 		}
    485. 

  485. 		user.UserGroups[userGroupReq.Group.ID] = struct{}{}
    486. 

  486. 		logic.UpsertUser(*user)
    487. 

  487. 	}
    488. 

  488. 	logic.LogEvent(&models.Event{
    489. 

  489. 		Action: models.Create,
    490. 

  490. 		Source: models.Subject{
    491. 

  491. 			ID:   r.Header.Get("user"),
    492. 

  492. 			Name: r.Header.Get("user"),
    493. 

  493. 			Type: models.UserSub,
    494. 

  494. 		},
    495. 

  495. 		TriggeredBy: r.Header.Get("user"),
    496. 

  496. 		Target: models.Subject{
    497. 

  497. 			ID:   userGroupReq.Group.ID.String(),
    498. 

  498. 			Name: userGroupReq.Group.Name,
    499. 

  499. 			Type: models.UserGroupSub,
    500. 

  500. 		},
    501. 

  501. 		Origin: models.Dashboard,
    502. 

  502. 	})
    503. 

  503. 	go mq.PublishPeerUpdate(false)
    504. 

  504. 	logic.ReturnSuccessResponseWithJson(w, r, userGroupReq.Group, "created user group")
    505. 

  505. }
    506. 

  506. 

  507. // swagger:route PUT /api/v1/user/group user updateUserGroup
    508. 

  508. //
    509. 

  509. // Update user group.
    510. 

  510. //
    511. 

  511. //			Schemes: https
    512. 

  512. //
    513. 

  513. //			Security:
    514. 

  514. //	  		oauth
    515. 

  515. //
    516. 

  516. //			Responses:
    517. 

  517. //				200: userBodyResponse
    518. 

  518. func updateUserGroup(w http.ResponseWriter, r *http.Request) {
    519. 

  519. 	var userGroup models.UserGroup
    520. 

  520. 	err := json.NewDecoder(r.Body).Decode(&userGroup)
    521. 

  521. 	if err != nil {
    522. 

  522. 		slog.Error("error decoding request body", "error",
    523. 

  523. 			err.Error())
    524. 

  524. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    525. 

  525. 		return
    526. 

  526. 	}
    527. 

  527. 	// fetch curr group
    528. 

  528. 	currUserG, err := proLogic.GetUserGroup(userGroup.ID)
    529. 

  529. 	if err != nil {
    530. 

  530. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    531. 

  531. 		return
    532. 

  532. 	}
    533. 

  533. 	if currUserG.Default {
    534. 

  534. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot update default user group"), "badrequest"))
    535. 

  535. 		return
    536. 

  536. 	}
    537. 

  537. 	err = proLogic.ValidateUpdateGroupReq(userGroup)
    538. 

  538. 	if err != nil {
    539. 

  539. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    540. 

  540. 		return
    541. 

  541. 	}
    542. 

  542. 

  543. 	userGroup.ExternalIdentityProviderID = currUserG.ExternalIdentityProviderID
    544. 

  544. 

  545. 	err = proLogic.UpdateUserGroup(userGroup)
    546. 

  546. 	if err != nil {
    547. 

  547. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    548. 

  548. 		return
    549. 

  549. 	}
    550. 

  550. 	logic.LogEvent(&models.Event{
    551. 

  551. 		Action: models.Update,
    552. 

  552. 		Source: models.Subject{
    553. 

  553. 			ID:   r.Header.Get("user"),
    554. 

  554. 			Name: r.Header.Get("user"),
    555. 

  555. 			Type: models.UserSub,
    556. 

  556. 		},
    557. 

  557. 		TriggeredBy: r.Header.Get("user"),
    558. 

  558. 		Target: models.Subject{
    559. 

  559. 			ID:   userGroup.ID.String(),
    560. 

  560. 			Name: userGroup.Name,
    561. 

  561. 			Type: models.UserGroupSub,
    562. 

  562. 		},
    563. 

  563. 		Diff: models.Diff{
    564. 

  564. 			Old: currUserG,
    565. 

  565. 			New: userGroup,
    566. 

  566. 		},
    567. 

  567. 		Origin: models.Dashboard,
    568. 

  568. 	})
    569. 

  569. 	replacePeers := false
    570. 

  570. 	go func() {
    571. 

  571. 		networksAdded := make([]models.NetworkID, 0)
    572. 

  572. 		networksRemoved := make([]models.NetworkID, 0)
    573. 

  573. 

  574. 		for networkID := range userGroup.NetworkRoles {
    575. 

  575. 			if _, ok := currUserG.NetworkRoles[networkID]; !ok {
    576. 

  576. 				networksAdded = append(networksAdded, networkID)
    577. 

  577. 			}
    578. 

  578. 		}
    579. 

  579. 

  580. 		for networkID := range currUserG.NetworkRoles {
    581. 

  581. 			if _, ok := userGroup.NetworkRoles[networkID]; !ok {
    582. 

  582. 				networksRemoved = append(networksRemoved, networkID)
    583. 

  583. 			}
    584. 

  584. 		}
    585. 

  585. 

  586. 		for _, networkID := range networksAdded {
    587. 

  587. 			// ensure the network exists.
    588. 

  588. 			network, err := logic.GetNetwork(networkID.String())
    589. 

  589. 			if err != nil {
    590. 

  590. 				continue
    591. 

  591. 			}
    592. 

  592. 

  593. 			// insert acl if the network is added to the group.
    594. 

  594. 			acl := models.Acl{
    595. 

  595. 				ID:          uuid.New().String(),
    596. 

  596. 				Name:        fmt.Sprintf("%s group", userGroup.Name),
    597. 

  597. 				MetaData:    "This Policy allows user group to communicate with all gateways",
    598. 

  598. 				Default:     false,
    599. 

  599. 				ServiceType: models.Any,
    600. 

  600. 				NetworkID:   models.NetworkID(network.NetID),
    601. 

  601. 				Proto:       models.ALL,
    602. 

  602. 				RuleType:    models.UserPolicy,
    603. 

  603. 				Src: []models.AclPolicyTag{
    604. 

  604. 					{
    605. 

  605. 						ID:    models.UserGroupAclID,
    606. 

  606. 						Value: userGroup.ID.String(),
    607. 

  607. 					},
    608. 

  608. 				},
    609. 

  609. 				Dst: []models.AclPolicyTag{
    610. 

  610. 					{
    611. 

  611. 						ID:    models.NodeTagID,
    612. 

  612. 						Value: fmt.Sprintf("%s.%s", models.NetworkID(network.NetID), models.GwTagName),
    613. 

  613. 					}},
    614. 

  614. 				AllowedDirection: models.TrafficDirectionUni,
    615. 

  615. 				Enabled:          true,
    616. 

  616. 				CreatedBy:        "auto",
    617. 

  617. 				CreatedAt:        time.Now().UTC(),
    618. 

  618. 			}
    619. 

  619. 			_ = logic.InsertAcl(acl)
    620. 

  620. 			replacePeers = true
    621. 

  621. 		}
    622. 

  622. 

  623. 		// since this group doesn't have a role for this network,
    624. 

  624. 		// there is no point in having this group as src in any
    625. 

  625. 		// of the network's acls.
    626. 

  626. 		for _, networkID := range networksRemoved {
    627. 

  627. 			acls, err := logic.ListAclsByNetwork(networkID)
    628. 

  628. 			if err != nil {
    629. 

  629. 				continue
    630. 

  630. 			}
    631. 

  631. 

  632. 			for _, acl := range acls {
    633. 

  633. 				var hasGroupSrc bool
    634. 

  634. 				newAclSrc := make([]models.AclPolicyTag, 0)
    635. 

  635. 				for _, src := range acl.Src {
    636. 

  636. 					if src.ID == models.UserGroupAclID && src.Value == userGroup.ID.String() {
    637. 

  637. 						hasGroupSrc = true
    638. 

  638. 					} else {
    639. 

  639. 						newAclSrc = append(newAclSrc, src)
    640. 

  640. 					}
    641. 

  641. 				}
    642. 

  642. 

  643. 				if hasGroupSrc {
    644. 

  644. 					if len(newAclSrc) == 0 {
    645. 

  645. 						// no other src exists, delete acl.
    646. 

  646. 						_ = logic.DeleteAcl(acl)
    647. 

  647. 					} else {
    648. 

  648. 						// other sources exist, update acl.
    649. 

  649. 						acl.Src = newAclSrc
    650. 

  650. 						_ = logic.UpsertAcl(acl)
    651. 

  651. 					}
    652. 

  652. 					replacePeers = true
    653. 

  653. 				}
    654. 

  654. 			}
    655. 

  655. 		}
    656. 

  656. 	}()
    657. 

  657. 

  658. 	// reset configs for service user
    659. 

  659. 	go proLogic.UpdatesUserGwAccessOnGrpUpdates(userGroup.ID, currUserG.NetworkRoles, userGroup.NetworkRoles)
    660. 

  660. 	go mq.PublishPeerUpdate(replacePeers)
    661. 

  661. 	logic.ReturnSuccessResponseWithJson(w, r, userGroup, "updated user group")
    662. 

  662. }
    663. 

  663. 

  664. // swagger:route GET /api/v1/users/unassigned_network_user user listUnAssignedNetUsers
    665. 

  665. //
    666. 

  666. // list unassigned network users.
    667. 

  667. //
    668. 

  668. //			Schemes: https
    669. 

  669. //
    670. 

  670. //			Security:
    671. 

  671. //	  		oauth
    672. 

  672. //
    673. 

  673. //			Responses:
    674. 

  674. //				200: userBodyResponse
    675. 

  675. func listUnAssignedNetUsers(w http.ResponseWriter, r *http.Request) {
    676. 

  676. 	netID := r.URL.Query().Get("network_id")
    677. 

  677. 	if netID == "" {
    678. 

  678. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("network is required"), logic.BadReq))
    679. 

  679. 		return
    680. 

  680. 	}
    681. 

  681. 	var unassignedUsers []models.ReturnUser
    682. 

  682. 	users, _ := logic.GetUsers()
    683. 

  683. 	for _, user := range users {
    684. 

  684. 		if user.PlatformRoleID != models.ServiceUser {
    685. 

  685. 			continue
    686. 

  686. 		}
    687. 

  687. 		skipUser := false
    688. 

  688. 		for userGID := range user.UserGroups {
    689. 

  689. 			userG, err := proLogic.GetUserGroup(userGID)
    690. 

  690. 			if err != nil {
    691. 

  691. 				continue
    692. 

  692. 			}
    693. 

  693. 			if _, ok := userG.NetworkRoles[models.NetworkID(netID)]; ok {
    694. 

  694. 				skipUser = true
    695. 

  695. 				break
    696. 

  696. 			}
    697. 

  697. 		}
    698. 

  698. 		if skipUser {
    699. 

  699. 			continue
    700. 

  700. 		}
    701. 

  701. 		unassignedUsers = append(unassignedUsers, user)
    702. 

  702. 	}
    703. 

  703. 	logic.ReturnSuccessResponseWithJson(w, r, unassignedUsers, "returned unassigned network service users")
    704. 

  704. }
    705. 

  705. 

  706. // swagger:route PUT /api/v1/users/add_network_user user addUsertoNetwork
    707. 

  707. //
    708. 

  708. // add user to network.
    709. 

  709. //
    710. 

  710. //			Schemes: https
    711. 

  711. //
    712. 

  712. //			Security:
    713. 

  713. //	  		oauth
    714. 

  714. //
    715. 

  715. //			Responses:
    716. 

  716. //				200: userBodyResponse
    717. 

  717. func addUsertoNetwork(w http.ResponseWriter, r *http.Request) {
    718. 

  718. 	username := r.URL.Query().Get("username")
    719. 

  719. 	if username == "" {
    720. 

  720. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("username is required"), logic.BadReq))
    721. 

  721. 		return
    722. 

  722. 	}
    723. 

  723. 	netID := r.URL.Query().Get("network_id")
    724. 

  724. 	if netID == "" {
    725. 

  725. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("network is required"), logic.BadReq))
    726. 

  726. 		return
    727. 

  727. 	}
    728. 

  728. 	user, err := logic.GetUser(username)
    729. 

  729. 	if err != nil {
    730. 

  730. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, logic.BadReq))
    731. 

  731. 		return
    732. 

  732. 	}
    733. 

  733. 	if user.PlatformRoleID != models.ServiceUser {
    734. 

  734. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("can only add service users"), logic.BadReq))
    735. 

  735. 		return
    736. 

  736. 	}
    737. 

  737. 	oldUser := *user
    738. 

  738. 	user.UserGroups[proLogic.GetDefaultNetworkUserGroupID(models.NetworkID(netID))] = struct{}{}
    739. 

  739. 	logic.UpsertUser(*user)
    740. 

  740. 	logic.LogEvent(&models.Event{
    741. 

  741. 		Action: models.Update,
    742. 

  742. 		Source: models.Subject{
    743. 

  743. 			ID:   r.Header.Get("user"),
    744. 

  744. 			Name: r.Header.Get("user"),
    745. 

  745. 			Type: models.UserSub,
    746. 

  746. 		},
    747. 

  747. 		TriggeredBy: r.Header.Get("user"),
    748. 

  748. 		Target: models.Subject{
    749. 

  749. 			ID:   user.UserName,
    750. 

  750. 			Name: user.UserName,
    751. 

  751. 			Type: models.UserSub,
    752. 

  752. 		},
    753. 

  753. 		Diff: models.Diff{
    754. 

  754. 			Old: oldUser,
    755. 

  755. 			New: user,
    756. 

  756. 		},
    757. 

  757. 		Origin: models.Dashboard,
    758. 

  758. 	})
    759. 

  759. 

  760. 	logic.ReturnSuccessResponseWithJson(w, r, user, "updated user group")
    761. 

  761. }
    762. 

  762. 

  763. // swagger:route PUT /api/v1/users/remove_network_user user removeUserfromNetwork
    764. 

  764. //
    765. 

  765. // add user to network.
    766. 

  766. //
    767. 

  767. //			Schemes: https
    768. 

  768. //
    769. 

  769. //			Security:
    770. 

  770. //	  		oauth
    771. 

  771. //
    772. 

  772. //			Responses:
    773. 

  773. //				200: userBodyResponse
    774. 

  774. func removeUserfromNetwork(w http.ResponseWriter, r *http.Request) {
    775. 

  775. 	username := r.URL.Query().Get("username")
    776. 

  776. 	if username == "" {
    777. 

  777. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("username is required"), logic.BadReq))
    778. 

  778. 		return
    779. 

  779. 	}
    780. 

  780. 	netID := r.URL.Query().Get("network_id")
    781. 

  781. 	if netID == "" {
    782. 

  782. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("network is required"), logic.BadReq))
    783. 

  783. 		return
    784. 

  784. 	}
    785. 

  785. 	user, err := logic.GetUser(username)
    786. 

  786. 	if err != nil {
    787. 

  787. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, logic.BadReq))
    788. 

  788. 		return
    789. 

  789. 	}
    790. 

  790. 	if user.PlatformRoleID != models.ServiceUser {
    791. 

  791. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("can only add service users"), logic.BadReq))
    792. 

  792. 		return
    793. 

  793. 	}
    794. 

  794. 	oldUser := *user
    795. 

  795. 	delete(user.UserGroups, proLogic.GetDefaultNetworkUserGroupID(models.NetworkID(netID)))
    796. 

  796. 	logic.UpsertUser(*user)
    797. 

  797. 	logic.LogEvent(&models.Event{
    798. 

  798. 		Action: models.Update,
    799. 

  799. 		Source: models.Subject{
    800. 

  800. 			ID:   r.Header.Get("user"),
    801. 

  801. 			Name: r.Header.Get("user"),
    802. 

  802. 			Type: models.UserSub,
    803. 

  803. 		},
    804. 

  804. 		TriggeredBy: r.Header.Get("user"),
    805. 

  805. 		Target: models.Subject{
    806. 

  806. 			ID:   user.UserName,
    807. 

  807. 			Name: user.UserName,
    808. 

  808. 			Type: models.UserSub,
    809. 

  809. 		},
    810. 

  810. 		Diff: models.Diff{
    811. 

  811. 			Old: oldUser,
    812. 

  812. 			New: user,
    813. 

  813. 		},
    814. 

  814. 		Origin: models.Dashboard,
    815. 

  815. 	})
    816. 

  816. 

  817. 	logic.ReturnSuccessResponseWithJson(w, r, user, "updated user group")
    818. 

  818. }
    819. 

  819. 

  820. // swagger:route DELETE /api/v1/user/group user deleteUserGroup
    821. 

  821. //
    822. 

  822. // delete user group.
    823. 

  823. //
    824. 

  824. //			Schemes: https
    825. 

  825. //
    826. 

  826. //			Security:
    827. 

  827. //	  		oauth
    828. 

  828. //
    829. 

  829. //			Responses:
    830. 

  830. //				200: userBodyResponse
    831. 

  831. //
    832. 

  832. // @Summary     Delete user group.
    833. 

  833. // @Router      /api/v1/user/group [delete]
    834. 

  834. // @Tags        Users
    835. 

  835. // @Param       group_id query string true "group id required to delete the role"
    836. 

  836. // @Success     200 {string} string
    837. 

  837. // @Failure     500 {object} models.ErrorResponse
    838. 

  838. func deleteUserGroup(w http.ResponseWriter, r *http.Request) {
    839. 

  839. 

  840. 	gid := r.URL.Query().Get("group_id")
    841. 

  841. 	if gid == "" {
    842. 

  842. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("group id is required"), "badrequest"))
    843. 

  843. 		return
    844. 

  844. 	}
    845. 

  845. 	userG, err := proLogic.GetUserGroup(models.UserGroupID(gid))
    846. 

  846. 	if err != nil {
    847. 

  847. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("failed to fetch group details"), "badrequest"))
    848. 

  848. 		return
    849. 

  849. 	}
    850. 

  850. 	if userG.Default {
    851. 

  851. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot delete default user group"), "badrequest"))
    852. 

  852. 		return
    853. 

  853. 	}
    854. 

  854. 	err = proLogic.DeleteAndCleanUpGroup(&userG)
    855. 

  855. 	if err != nil {
    856. 

  856. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    857. 

  857. 		return
    858. 

  858. 	}
    859. 

  859. 

  860. 	// TODO: log event in proLogic.DeleteAndCleanUpGroup so that all deletions are logged.
    861. 

  861. 	logic.LogEvent(&models.Event{
    862. 

  862. 		Action: models.Delete,
    863. 

  863. 		Source: models.Subject{
    864. 

  864. 			ID:   r.Header.Get("user"),
    865. 

  865. 			Name: r.Header.Get("user"),
    866. 

  866. 			Type: models.UserSub,
    867. 

  867. 		},
    868. 

  868. 		TriggeredBy: r.Header.Get("user"),
    869. 

  869. 		Target: models.Subject{
    870. 

  870. 			ID:   userG.ID.String(),
    871. 

  871. 			Name: userG.Name,
    872. 

  872. 			Type: models.UserGroupSub,
    873. 

  873. 		},
    874. 

  874. 		Origin: models.Dashboard,
    875. 

  875. 	})
    876. 

  876. 

  877. 	logic.ReturnSuccessResponseWithJson(w, r, nil, "deleted user group")
    878. 

  878. }
    879. 

  879. 

  880. // @Summary     lists all user roles.
    881. 

  881. // @Router      /api/v1/user/roles [get]
    882. 

  882. // @Tags        Users
    883. 

  883. // @Param       role_id query string true "roleid required to get the role details"
    884. 

  884. // @Success     200 {object}  []models.UserRolePermissionTemplate
    885. 

  885. // @Failure     500 {object} models.ErrorResponse
    886. 

  886. func ListRoles(w http.ResponseWriter, r *http.Request) {
    887. 

  887. 	platform := r.URL.Query().Get("platform")
    888. 

  888. 	var roles []models.UserRolePermissionTemplate
    889. 

  889. 	var err error
    890. 

  890. 	if platform == "true" {
    891. 

  891. 		roles, err = logic.ListPlatformRoles()
    892. 

  892. 	} else {
    893. 

  893. 		roles, err = proLogic.ListNetworkRoles()
    894. 

  894. 	}
    895. 

  895. 	if err != nil {
    896. 

  896. 		logic.ReturnErrorResponse(w, r, models.ErrorResponse{
    897. 

  897. 			Code:    http.StatusInternalServerError,
    898. 

  898. 			Message: err.Error(),
    899. 

  899. 		})
    900. 

  900. 		return
    901. 

  901. 	}
    902. 

  902. 

  903. 	logic.ReturnSuccessResponseWithJson(w, r, roles, "successfully fetched user roles permission templates")
    904. 

  904. }
    905. 

  905. 

  906. // @Summary     Get user role permission template.
    907. 

  907. // @Router      /api/v1/user/role [get]
    908. 

  908. // @Tags        Users
    909. 

  909. // @Param       role_id query string true "roleid required to get the role details"
    910. 

  910. // @Success     200 {object} models.UserRolePermissionTemplate
    911. 

  911. // @Failure     500 {object} models.ErrorResponse
    912. 

  912. func getRole(w http.ResponseWriter, r *http.Request) {
    913. 

  913. 	rid := r.URL.Query().Get("role_id")
    914. 

  914. 	if rid == "" {
    915. 

  915. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("role is required"), "badrequest"))
    916. 

  916. 		return
    917. 

  917. 	}
    918. 

  918. 	role, err := logic.GetRole(models.UserRoleID(rid))
    919. 

  919. 	if err != nil {
    920. 

  920. 		logic.ReturnErrorResponse(w, r, models.ErrorResponse{
    921. 

  921. 			Code:    http.StatusInternalServerError,
    922. 

  922. 			Message: err.Error(),
    923. 

  923. 		})
    924. 

  924. 		return
    925. 

  925. 	}
    926. 

  926. 	logic.ReturnSuccessResponseWithJson(w, r, role, "successfully fetched user role permission templates")
    927. 

  927. }
    928. 

  928. 

  929. // @Summary     Create user role permission template.
    930. 

  930. // @Router      /api/v1/user/role [post]
    931. 

  931. // @Tags        Users
    932. 

  932. // @Param       body body models.UserRolePermissionTemplate true "user role template"
    933. 

  933. // @Success     200 {object}  models.UserRolePermissionTemplate
    934. 

  934. // @Failure     500 {object} models.ErrorResponse
    935. 

  935. func createRole(w http.ResponseWriter, r *http.Request) {
    936. 

  936. 	var userRole models.UserRolePermissionTemplate
    937. 

  937. 	err := json.NewDecoder(r.Body).Decode(&userRole)
    938. 

  938. 	if err != nil {
    939. 

  939. 		slog.Error("error decoding request body", "error",
    940. 

  940. 			err.Error())
    941. 

  941. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    942. 

  942. 		return
    943. 

  943. 	}
    944. 

  944. 	err = proLogic.ValidateCreateRoleReq(&userRole)
    945. 

  945. 	if err != nil {
    946. 

  946. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    947. 

  947. 		return
    948. 

  948. 	}
    949. 

  949. 	userRole.Default = false
    950. 

  950. 	userRole.GlobalLevelAccess = make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope)
    951. 

  951. 	err = proLogic.CreateRole(userRole)
    952. 

  952. 	if err != nil {
    953. 

  953. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    954. 

  954. 		return
    955. 

  955. 	}
    956. 

  956. 	logic.LogEvent(&models.Event{
    957. 

  957. 		Action: models.Create,
    958. 

  958. 		Source: models.Subject{
    959. 

  959. 			ID:   r.Header.Get("user"),
    960. 

  960. 			Name: r.Header.Get("user"),
    961. 

  961. 			Type: models.UserSub,
    962. 

  962. 		},
    963. 

  963. 		TriggeredBy: r.Header.Get("user"),
    964. 

  964. 		Target: models.Subject{
    965. 

  965. 			ID:   userRole.ID.String(),
    966. 

  966. 			Name: userRole.Name,
    967. 

  967. 			Type: models.UserRoleSub,
    968. 

  968. 		},
    969. 

  969. 		Origin: models.ClientApp,
    970. 

  970. 	})
    971. 

  971. 	logic.ReturnSuccessResponseWithJson(w, r, userRole, "created user role")
    972. 

  972. }
    973. 

  973. 

  974. // @Summary     Update user role permission template.
    975. 

  975. // @Router      /api/v1/user/role [put]
    976. 

  976. // @Tags        Users
    977. 

  977. // @Param       body body models.UserRolePermissionTemplate true "user role template"
    978. 

  978. // @Success     200 {object} models.UserRolePermissionTemplate
    979. 

  979. // @Failure     500 {object} models.ErrorResponse
    980. 

  980. func updateRole(w http.ResponseWriter, r *http.Request) {
    981. 

  981. 	var userRole models.UserRolePermissionTemplate
    982. 

  982. 	err := json.NewDecoder(r.Body).Decode(&userRole)
    983. 

  983. 	if err != nil {
    984. 

  984. 		slog.Error("error decoding request body", "error",
    985. 

  985. 			err.Error())
    986. 

  986. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    987. 

  987. 		return
    988. 

  988. 	}
    989. 

  989. 	currRole, err := logic.GetRole(userRole.ID)
    990. 

  990. 	if err != nil {
    991. 

  991. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    992. 

  992. 		return
    993. 

  993. 	}
    994. 

  994. 	err = proLogic.ValidateUpdateRoleReq(&userRole)
    995. 

  995. 	if err != nil {
    996. 

  996. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    997. 

  997. 		return
    998. 

  998. 	}
    999. 

  999. 	userRole.GlobalLevelAccess = make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope)
    1000. 

  1000. 	err = proLogic.UpdateRole(userRole)
    1001. 

  1001. 	if err != nil {
    1002. 

  1002. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1003. 

  1003. 		return
    1004. 

  1004. 	}
    1005. 

  1005. 	logic.LogEvent(&models.Event{
    1006. 

  1006. 		Action: models.Update,
    1007. 

  1007. 		Source: models.Subject{
    1008. 

  1008. 			ID:   r.Header.Get("user"),
    1009. 

  1009. 			Name: r.Header.Get("user"),
    1010. 

  1010. 			Type: models.UserSub,
    1011. 

  1011. 		},
    1012. 

  1012. 		TriggeredBy: r.Header.Get("user"),
    1013. 

  1013. 		Target: models.Subject{
    1014. 

  1014. 			ID:   userRole.ID.String(),
    1015. 

  1015. 			Name: userRole.Name,
    1016. 

  1016. 			Type: models.UserRoleSub,
    1017. 

  1017. 		},
    1018. 

  1018. 		Diff: models.Diff{
    1019. 

  1019. 			Old: currRole,
    1020. 

  1020. 			New: userRole,
    1021. 

  1021. 		},
    1022. 

  1022. 		Origin: models.Dashboard,
    1023. 

  1023. 	})
    1024. 

  1024. 	// reset configs for service user
    1025. 

  1025. 	go proLogic.UpdatesUserGwAccessOnRoleUpdates(currRole.NetworkLevelAccess, userRole.NetworkLevelAccess, string(userRole.NetworkID))
    1026. 

  1026. 	logic.ReturnSuccessResponseWithJson(w, r, userRole, "updated user role")
    1027. 

  1027. }
    1028. 

  1028. 

  1029. // @Summary     Delete user role permission template.
    1030. 

  1030. // @Router      /api/v1/user/role [delete]
    1031. 

  1031. // @Tags        Users
    1032. 

  1032. // @Param       role_id query string true "roleid required to delete the role"
    1033. 

  1033. // @Success     200 {string} string
    1034. 

  1034. // @Failure     500 {object} models.ErrorResponse
    1035. 

  1035. func deleteRole(w http.ResponseWriter, r *http.Request) {
    1036. 

  1036. 

  1037. 	rid := r.URL.Query().Get("role_id")
    1038. 

  1038. 	if rid == "" {
    1039. 

  1039. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("role is required"), "badrequest"))
    1040. 

  1040. 		return
    1041. 

  1041. 	}
    1042. 

  1042. 	role, err := logic.GetRole(models.UserRoleID(rid))
    1043. 

  1043. 	if err != nil {
    1044. 

  1044. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("role is required"), "badrequest"))
    1045. 

  1045. 		return
    1046. 

  1046. 	}
    1047. 

  1047. 	err = proLogic.DeleteRole(models.UserRoleID(rid), false)
    1048. 

  1048. 	if err != nil {
    1049. 

  1049. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1050. 

  1050. 		return
    1051. 

  1051. 	}
    1052. 

  1052. 	logic.LogEvent(&models.Event{
    1053. 

  1053. 		Action: models.Delete,
    1054. 

  1054. 		Source: models.Subject{
    1055. 

  1055. 			ID:   r.Header.Get("user"),
    1056. 

  1056. 			Name: r.Header.Get("user"),
    1057. 

  1057. 			Type: models.UserSub,
    1058. 

  1058. 		},
    1059. 

  1059. 		TriggeredBy: r.Header.Get("user"),
    1060. 

  1060. 		Target: models.Subject{
    1061. 

  1061. 			ID:   role.ID.String(),
    1062. 

  1062. 			Name: role.Name,
    1063. 

  1063. 			Type: models.UserRoleSub,
    1064. 

  1064. 		},
    1065. 

  1065. 		Origin: models.Dashboard,
    1066. 

  1066. 	})
    1067. 

  1067. 	go proLogic.UpdatesUserGwAccessOnRoleUpdates(role.NetworkLevelAccess, make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope), role.NetworkID.String())
    1068. 

  1068. 	logic.ReturnSuccessResponseWithJson(w, r, nil, "deleted user role")
    1069. 

  1069. }
    1070. 

  1070. 

  1071. // @Summary     Attach user to a remote access gateway
    1072. 

  1072. // @Router      /api/users/{username}/remote_access_gw/{remote_access_gateway_id} [post]
    1073. 

  1073. // @Tags        PRO
    1074. 

  1074. // @Accept      json
    1075. 

  1075. // @Produce     json
    1076. 

  1076. // @Param       username path string true "Username"
    1077. 

  1077. // @Param       remote_access_gateway_id path string true "Remote Access Gateway ID"
    1078. 

  1078. // @Success     200 {object} models.ReturnUser
    1079. 

  1079. // @Failure     400 {object} models.ErrorResponse
    1080. 

  1080. // @Failure     500 {object} models.ErrorResponse
    1081. 

  1081. func attachUserToRemoteAccessGw(w http.ResponseWriter, r *http.Request) {
    1082. 

  1082. 	// set header.
    1083. 

  1083. 	w.Header().Set("Content-Type", "application/json")
    1084. 

  1084. 

  1085. 	var params = mux.Vars(r)
    1086. 

  1086. 	username := params["username"]
    1087. 

  1087. 	remoteGwID := params["remote_access_gateway_id"]
    1088. 

  1088. 	if username == "" || remoteGwID == "" {
    1089. 

  1089. 		logic.ReturnErrorResponse(
    1090. 

  1090. 			w,
    1091. 

  1091. 			r,
    1092. 

  1092. 			logic.FormatError(
    1093. 

  1093. 				errors.New("required params `username` and `remote_access_gateway_id`"),
    1094. 

  1094. 				"badrequest",
    1095. 

  1095. 			),
    1096. 

  1096. 		)
    1097. 

  1097. 		return
    1098. 

  1098. 	}
    1099. 

  1099. 	user, err := logic.GetUser(username)
    1100. 

  1100. 	if err != nil {
    1101. 

  1101. 		slog.Error("failed to fetch user: ", "username", username, "error", err.Error())
    1102. 

  1102. 		logic.ReturnErrorResponse(
    1103. 

  1103. 			w,
    1104. 

  1104. 			r,
    1105. 

  1105. 			logic.FormatError(
    1106. 

  1106. 				fmt.Errorf("failed to fetch user %s, error: %v", username, err),
    1107. 

  1107. 				"badrequest",
    1108. 

  1108. 			),
    1109. 

  1109. 		)
    1110. 

  1110. 		return
    1111. 

  1111. 	}
    1112. 

  1112. 	if user.PlatformRoleID == models.AdminRole || user.PlatformRoleID == models.SuperAdminRole {
    1113. 

  1113. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("superadmins/admins have access to all gateways"), "badrequest"))
    1114. 

  1114. 		return
    1115. 

  1115. 	}
    1116. 

  1116. 	node, err := logic.GetNodeByID(remoteGwID)
    1117. 

  1117. 	if err != nil {
    1118. 

  1118. 		slog.Error("failed to fetch gateway node", "nodeID", remoteGwID, "error", err)
    1119. 

  1119. 		logic.ReturnErrorResponse(
    1120. 

  1120. 			w,
    1121. 

  1121. 			r,
    1122. 

  1122. 			logic.FormatError(
    1123. 

  1123. 				fmt.Errorf("failed to fetch remote access gateway node, error: %v", err),
    1124. 

  1124. 				"badrequest",
    1125. 

  1125. 			),
    1126. 

  1126. 		)
    1127. 

  1127. 		return
    1128. 

  1128. 	}
    1129. 

  1129. 	if !node.IsIngressGateway {
    1130. 

  1130. 		logic.ReturnErrorResponse(
    1131. 

  1131. 			w,
    1132. 

  1132. 			r,
    1133. 

  1133. 			logic.FormatError(fmt.Errorf("node is not a remote access gateway"), "badrequest"),
    1134. 

  1134. 		)
    1135. 

  1135. 		return
    1136. 

  1136. 	}
    1137. 

  1137. 	if user.RemoteGwIDs == nil {
    1138. 

  1138. 		user.RemoteGwIDs = make(map[string]struct{})
    1139. 

  1139. 	}
    1140. 

  1140. 	user.RemoteGwIDs[node.ID.String()] = struct{}{}
    1141. 

  1141. 	err = logic.UpsertUser(*user)
    1142. 

  1142. 	if err != nil {
    1143. 

  1143. 		slog.Error("failed to update user's gateways", "user", username, "error", err)
    1144. 

  1144. 		logic.ReturnErrorResponse(
    1145. 

  1145. 			w,
    1146. 

  1146. 			r,
    1147. 

  1147. 			logic.FormatError(
    1148. 

  1148. 				fmt.Errorf("failed to fetch remote access gateway node,error: %v", err),
    1149. 

  1149. 				"badrequest",
    1150. 

  1150. 			),
    1151. 

  1151. 		)
    1152. 

  1152. 		return
    1153. 

  1153. 	}
    1154. 

  1154. 

  1155. 	json.NewEncoder(w).Encode(logic.ToReturnUser(*user))
    1156. 

  1156. }
    1157. 

  1157. 

  1158. // @Summary     Remove user from a remote access gateway
    1159. 

  1159. // @Router      /api/users/{username}/remote_access_gw/{remote_access_gateway_id} [delete]
    1160. 

  1160. // @Tags        PRO
    1161. 

  1161. // @Accept      json
    1162. 

  1162. // @Produce     json
    1163. 

  1163. // @Param       username path string true "Username"
    1164. 

  1164. // @Param       remote_access_gateway_id path string true "Remote Access Gateway ID"
    1165. 

  1165. // @Success     200 {object} models.ReturnUser
    1166. 

  1166. // @Failure     400 {object} models.ErrorResponse
    1167. 

  1167. // @Failure     500 {object} models.ErrorResponse
    1168. 

  1168. func removeUserFromRemoteAccessGW(w http.ResponseWriter, r *http.Request) {
    1169. 

  1169. 	// set header.
    1170. 

  1170. 	w.Header().Set("Content-Type", "application/json")
    1171. 

  1171. 

  1172. 	var params = mux.Vars(r)
    1173. 

  1173. 	username := params["username"]
    1174. 

  1174. 	remoteGwID := params["remote_access_gateway_id"]
    1175. 

  1175. 	if username == "" || remoteGwID == "" {
    1176. 

  1176. 		logic.ReturnErrorResponse(
    1177. 

  1177. 			w,
    1178. 

  1178. 			r,
    1179. 

  1179. 			logic.FormatError(
    1180. 

  1180. 				errors.New("required params `username` and `remote_access_gateway_id`"),
    1181. 

  1181. 				"badrequest",
    1182. 

  1182. 			),
    1183. 

  1183. 		)
    1184. 

  1184. 		return
    1185. 

  1185. 	}
    1186. 

  1186. 	user, err := logic.GetUser(username)
    1187. 

  1187. 	if err != nil {
    1188. 

  1188. 		logger.Log(0, username, "failed to fetch user: ", err.Error())
    1189. 

  1189. 		logic.ReturnErrorResponse(
    1190. 

  1190. 			w,
    1191. 

  1191. 			r,
    1192. 

  1192. 			logic.FormatError(
    1193. 

  1193. 				fmt.Errorf("failed to fetch user %s, error: %v", username, err),
    1194. 

  1194. 				"badrequest",
    1195. 

  1195. 			),
    1196. 

  1196. 		)
    1197. 

  1197. 		return
    1198. 

  1198. 	}
    1199. 

  1199. 	delete(user.RemoteGwIDs, remoteGwID)
    1200. 

  1200. 	go func(user models.User, remoteGwID string) {
    1201. 

  1201. 		extclients, err := logic.GetAllExtClients()
    1202. 

  1202. 		if err != nil {
    1203. 

  1203. 			slog.Error("failed to fetch extclients", "error", err)
    1204. 

  1204. 			return
    1205. 

  1205. 		}
    1206. 

  1206. 		for _, extclient := range extclients {
    1207. 

  1207. 			if extclient.OwnerID == user.UserName && remoteGwID == extclient.IngressGatewayID {
    1208. 

  1208. 				err = logic.DeleteExtClientAndCleanup(extclient)
    1209. 

  1209. 				if err != nil {
    1210. 

  1210. 					slog.Error("failed to delete extclient",
    1211. 

  1211. 						"id", extclient.ClientID, "owner", user.UserName, "error", err)
    1212. 

  1212. 				} else {
    1213. 

  1213. 					if err := mq.PublishDeletedClientPeerUpdate(&extclient); err != nil {
    1214. 

  1214. 						slog.Error("error setting ext peers: " + err.Error())
    1215. 

  1215. 					}
    1216. 

  1216. 				}
    1217. 

  1217. 			}
    1218. 

  1218. 		}
    1219. 

  1219. 		if servercfg.IsDNSMode() {
    1220. 

  1220. 			logic.SetDNS()
    1221. 

  1221. 		}
    1222. 

  1222. 	}(*user, remoteGwID)
    1223. 

  1223. 

  1224. 	err = logic.UpsertUser(*user)
    1225. 

  1225. 	if err != nil {
    1226. 

  1226. 		slog.Error("failed to update user gateways", "user", username, "error", err)
    1227. 

  1227. 		logic.ReturnErrorResponse(
    1228. 

  1228. 			w,
    1229. 

  1229. 			r,
    1230. 

  1230. 			logic.FormatError(
    1231. 

  1231. 				errors.New("failed to fetch remote access gaetway node "+err.Error()),
    1232. 

  1232. 				"badrequest",
    1233. 

  1233. 			),
    1234. 

  1234. 		)
    1235. 

  1235. 		return
    1236. 

  1236. 	}
    1237. 

  1237. 	json.NewEncoder(w).Encode(logic.ToReturnUser(*user))
    1238. 

  1238. }
    1239. 

  1239. 

  1240. // @Summary     Get Users Remote Access Gw Networks.
    1241. 

  1241. // @Router      /api/users/{username}/remote_access_gw [get]
    1242. 

  1242. // @Tags        Users
    1243. 

  1243. // @Param       username path string true "Username to fetch all the gateways with access"
    1244. 

  1244. // @Success     200 {object} map[string][]models.UserRemoteGws
    1245. 

  1245. // @Failure     500 {object} models.ErrorResponse
    1246. 

  1246. func getUserRemoteAccessNetworks(w http.ResponseWriter, r *http.Request) {
    1247. 

  1247. 	// set header.
    1248. 

  1248. 	w.Header().Set("Content-Type", "application/json")
    1249. 

  1249. 	username := r.Header.Get("user")
    1250. 

  1250. 	user, err := logic.GetUser(username)
    1251. 

  1251. 	if err != nil {
    1252. 

  1252. 		logger.Log(0, username, "failed to fetch user: ", err.Error())
    1253. 

  1253. 		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch user %s, error: %v", username, err), "badrequest"))
    1254. 

  1254. 		return
    1255. 

  1255. 	}
    1256. 

  1256. 	userGws := make(map[string][]models.UserRemoteGws)
    1257. 

  1257. 	networks := []models.Network{}
    1258. 

  1258. 	networkMap := make(map[string]struct{})
    1259. 

  1259. 	userGwNodes := proLogic.GetUserRAGNodes(*user)
    1260. 

  1260. 	for _, node := range userGwNodes {
    1261. 

  1261. 		network, err := logic.GetNetwork(node.Network)
    1262. 

  1262. 		if err != nil {
    1263. 

  1263. 			slog.Error("failed to get node network", "error", err)
    1264. 

  1264. 			continue
    1265. 

  1265. 		}
    1266. 

  1266. 		if _, ok := networkMap[network.NetID]; ok {
    1267. 

  1267. 			continue
    1268. 

  1268. 		}
    1269. 

  1269. 		networkMap[network.NetID] = struct{}{}
    1270. 

  1270. 		networks = append(networks, network)
    1271. 

  1271. 	}
    1272. 

  1272. 

  1273. 	slog.Debug("returned user gws", "user", username, "gws", userGws)
    1274. 

  1274. 	logic.ReturnSuccessResponseWithJson(w, r, networks, "fetched user accessible networks")
    1275. 

  1275. }
    1276. 

  1276. 

  1277. // @Summary     Get Users Remote Access Gw Networks.
    1278. 

  1278. // @Router      /api/users/{username}/remote_access_gw [get]
    1279. 

  1279. // @Tags        Users
    1280. 

  1280. // @Param       username path string true "Username to fetch all the gateways with access"
    1281. 

  1281. // @Success     200 {object} map[string][]models.UserRemoteGws
    1282. 

  1282. // @Failure     500 {object} models.ErrorResponse
    1283. 

  1283. func getUserRemoteAccessNetworkGateways(w http.ResponseWriter, r *http.Request) {
    1284. 

  1284. 	// set header.
    1285. 

  1285. 	w.Header().Set("Content-Type", "application/json")
    1286. 

  1286. 	var params = mux.Vars(r)
    1287. 

  1287. 	username := r.Header.Get("user")
    1288. 

  1288. 	user, err := logic.GetUser(username)
    1289. 

  1289. 	if err != nil {
    1290. 

  1290. 		logger.Log(0, username, "failed to fetch user: ", err.Error())
    1291. 

  1291. 		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch user %s, error: %v", username, err), "badrequest"))
    1292. 

  1292. 		return
    1293. 

  1293. 	}
    1294. 

  1294. 	network := params["network"]
    1295. 

  1295. 	if network == "" {
    1296. 

  1296. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("required params network"), "badrequest"))
    1297. 

  1297. 		return
    1298. 

  1298. 	}
    1299. 

  1299. 	userGws := []models.UserRAGs{}
    1300. 

  1300. 

  1301. 	userGwNodes := proLogic.GetUserRAGNodes(*user)
    1302. 

  1302. 	for _, node := range userGwNodes {
    1303. 

  1303. 		if node.Network != network {
    1304. 

  1304. 			continue
    1305. 

  1305. 		}
    1306. 

  1306. 

  1307. 		host, err := logic.GetHost(node.HostID.String())
    1308. 

  1308. 		if err != nil {
    1309. 

  1309. 			continue
    1310. 

  1310. 		}
    1311. 

  1311. 

  1312. 		userGws = append(userGws, models.UserRAGs{
    1313. 

  1313. 			GwID:              node.ID.String(),
    1314. 

  1314. 			GWName:            host.Name,
    1315. 

  1315. 			Network:           node.Network,
    1316. 

  1316. 			IsInternetGateway: node.IsInternetGateway,
    1317. 

  1317. 			Metadata:          node.Metadata,
    1318. 

  1318. 		})
    1319. 

  1319. 

  1320. 	}
    1321. 

  1321. 

  1322. 	slog.Debug("returned user gws", "user", username, "gws", userGws)
    1323. 

  1323. 	logic.ReturnSuccessResponseWithJson(w, r, userGws, "fetched user accessible gateways in network "+network)
    1324. 

  1324. }
    1325. 

  1325. 

  1326. // @Summary     Get Users Remote Access Gw Networks.
    1327. 

  1327. // @Router      /api/users/{username}/remote_access_gw [get]
    1328. 

  1328. // @Tags        Users
    1329. 

  1329. // @Param       username path string true "Username to fetch all the gateways with access"
    1330. 

  1330. // @Success     200 {object} map[string][]models.UserRemoteGws
    1331. 

  1331. // @Failure     500 {object} models.ErrorResponse
    1332. 

  1332. func getRemoteAccessGatewayConf(w http.ResponseWriter, r *http.Request) {
    1333. 

  1333. 	// set header.
    1334. 

  1334. 	w.Header().Set("Content-Type", "application/json")
    1335. 

  1335. 	var params = mux.Vars(r)
    1336. 

  1336. 	username := r.Header.Get("user")
    1337. 

  1337. 	user, err := logic.GetUser(username)
    1338. 

  1338. 	if err != nil {
    1339. 

  1339. 		logger.Log(0, username, "failed to fetch user: ", err.Error())
    1340. 

  1340. 		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch user %s, error: %v", username, err), "badrequest"))
    1341. 

  1341. 		return
    1342. 

  1342. 	}
    1343. 

  1343. 	remoteGwID := params["access_point_id"]
    1344. 

  1344. 	if remoteGwID == "" {
    1345. 

  1345. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("required params access_point_id"), "badrequest"))
    1346. 

  1346. 		return
    1347. 

  1347. 	}
    1348. 

  1348. 	var req models.UserRemoteGwsReq
    1349. 

  1349. 	err = json.NewDecoder(r.Body).Decode(&req)
    1350. 

  1350. 	if err != nil {
    1351. 

  1351. 		slog.Error("error decoding request body: ", "error", err)
    1352. 

  1352. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1353. 

  1353. 		return
    1354. 

  1354. 	}
    1355. 

  1355. 

  1356. 	userGwNodes := proLogic.GetUserRAGNodes(*user)
    1357. 

  1357. 	if _, ok := userGwNodes[remoteGwID]; !ok {
    1358. 

  1358. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("access denied"), "forbidden"))
    1359. 

  1359. 		return
    1360. 

  1360. 	}
    1361. 

  1361. 	node, err := logic.GetNodeByID(remoteGwID)
    1362. 

  1362. 	if err != nil {
    1363. 

  1363. 		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch gw node %s, error: %v", remoteGwID, err), "badrequest"))
    1364. 

  1364. 		return
    1365. 

  1365. 	}
    1366. 

  1366. 	host, err := logic.GetHost(node.HostID.String())
    1367. 

  1367. 	if err != nil {
    1368. 

  1368. 		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch gw host %s, error: %v", remoteGwID, err), "badrequest"))
    1369. 

  1369. 		return
    1370. 

  1370. 	}
    1371. 

  1371. 	network, err := logic.GetNetwork(node.Network)
    1372. 

  1372. 	if err != nil {
    1373. 

  1373. 		slog.Error("failed to get node network", "error", err)
    1374. 

  1374. 	}
    1375. 

  1375. 	var userConf models.ExtClient
    1376. 

  1376. 	allextClients, err := logic.GetAllExtClients()
    1377. 

  1377. 	if err != nil {
    1378. 

  1378. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1379. 

  1379. 		return
    1380. 

  1380. 	}
    1381. 

  1381. 	for _, extClient := range allextClients {
    1382. 

  1382. 		if extClient.Network != network.NetID || extClient.IngressGatewayID != node.ID.String() {
    1383. 

  1383. 			continue
    1384. 

  1384. 		}
    1385. 

  1385. 		if extClient.RemoteAccessClientID == req.RemoteAccessClientID && extClient.OwnerID == username {
    1386. 

  1386. 			userConf = extClient
    1387. 

  1387. 			userConf.AllowedIPs = logic.GetExtclientAllowedIPs(extClient)
    1388. 

  1388. 		}
    1389. 

  1389. 	}
    1390. 

  1390. 	if userConf.ClientID == "" {
    1391. 

  1391. 		// create a new conf
    1392. 

  1392. 		userConf.OwnerID = user.UserName
    1393. 

  1393. 		userConf.RemoteAccessClientID = req.RemoteAccessClientID
    1394. 

  1394. 		userConf.IngressGatewayID = node.ID.String()
    1395. 

  1395. 		logic.SetDNSOnWgConfig(&node, &userConf)
    1396. 

  1396. 

  1397. 		userConf.Network = node.Network
    1398. 

  1398. 		host, err := logic.GetHost(node.HostID.String())
    1399. 

  1399. 		if err != nil {
    1400. 

  1400. 			logger.Log(0, r.Header.Get("user"),
    1401. 

  1401. 				fmt.Sprintf("failed to get ingress gateway host for node [%s] info: %v", node.ID, err))
    1402. 

  1402. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1403. 

  1403. 			return
    1404. 

  1404. 		}
    1405. 

  1405. 		listenPort := logic.GetPeerListenPort(host)
    1406. 

  1406. 		if host.EndpointIP.To4() == nil {
    1407. 

  1407. 			userConf.IngressGatewayEndpoint = fmt.Sprintf("[%s]:%d", host.EndpointIPv6.String(), listenPort)
    1408. 

  1408. 		} else {
    1409. 

  1409. 			userConf.IngressGatewayEndpoint = fmt.Sprintf("%s:%d", host.EndpointIP.String(), listenPort)
    1410. 

  1410. 		}
    1411. 

  1411. 		userConf.Enabled = true
    1412. 

  1412. 		parentNetwork, err := logic.GetNetwork(node.Network)
    1413. 

  1413. 		if err == nil { // check if parent network default ACL is enabled (yes) or not (no)
    1414. 

  1414. 			userConf.Enabled = parentNetwork.DefaultACL == "yes"
    1415. 

  1415. 		}
    1416. 

  1416. 		userConf.Tags = make(map[models.TagID]struct{})
    1417. 

  1417. 		// userConf.Tags[models.TagID(fmt.Sprintf("%s.%s", userConf.Network,
    1418. 

  1418. 		// 	models.RemoteAccessTagName))] = struct{}{}
    1419. 

  1419. 		if err = logic.CreateExtClient(&userConf); err != nil {
    1420. 

  1420. 			slog.Error(
    1421. 

  1421. 				"failed to create extclient",
    1422. 

  1422. 				"user",
    1423. 

  1423. 				r.Header.Get("user"),
    1424. 

  1424. 				"network",
    1425. 

  1425. 				node.Network,
    1426. 

  1426. 				"error",
    1427. 

  1427. 				err,
    1428. 

  1428. 			)
    1429. 

  1429. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1430. 

  1430. 			return
    1431. 

  1431. 		}
    1432. 

  1432. 	}
    1433. 

  1433. 	userGw := models.UserRemoteGws{
    1434. 

  1434. 		GwID:              node.ID.String(),
    1435. 

  1435. 		GWName:            host.Name,
    1436. 

  1436. 		Network:           node.Network,
    1437. 

  1437. 		GwClient:          userConf,
    1438. 

  1438. 		Connected:         true,
    1439. 

  1439. 		IsInternetGateway: node.IsInternetGateway,
    1440. 

  1440. 		GwPeerPublicKey:   host.PublicKey.String(),
    1441. 

  1441. 		GwListenPort:      logic.GetPeerListenPort(host),
    1442. 

  1442. 		Metadata:          node.Metadata,
    1443. 

  1443. 		AllowedEndpoints:  getAllowedRagEndpoints(&node, host),
    1444. 

  1444. 		NetworkAddresses:  []string{network.AddressRange, network.AddressRange6},
    1445. 

  1445. 		ManageDNS:         host.DNS == "yes",
    1446. 

  1446. 		DnsAddress:        node.IngressDNS,
    1447. 

  1447. 		Addresses:         utils.NoEmptyStringToCsv(node.Address.String(), node.Address6.String()),
    1448. 

  1448. 	}
    1449. 

  1449. 

  1450. 	slog.Debug("returned user gw config", "user", user.UserName, "gws", userGw)
    1451. 

  1451. 	logic.ReturnSuccessResponseWithJson(w, r, userGw, "fetched user config to gw "+remoteGwID)
    1452. 

  1452. }
    1453. 

  1453. 

  1454. // @Summary     Get Users Remote Access Gw.
    1455. 

  1455. // @Router      /api/users/{username}/remote_access_gw [get]
    1456. 

  1456. // @Tags        Users
    1457. 

  1457. // @Param       username path string true "Username to fetch all the gateways with access"
    1458. 

  1458. // @Success     200 {object} map[string][]models.UserRemoteGws
    1459. 

  1459. // @Failure     500 {object} models.ErrorResponse
    1460. 

  1460. func getUserRemoteAccessGwsV1(w http.ResponseWriter, r *http.Request) {
    1461. 

  1461. 	// set header.
    1462. 

  1462. 	w.Header().Set("Content-Type", "application/json")
    1463. 

  1463. 	var params = mux.Vars(r)
    1464. 

  1464. 	username := params["username"]
    1465. 

  1465. 	if username == "" {
    1466. 

  1466. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("required params username"), "badrequest"))
    1467. 

  1467. 		return
    1468. 

  1468. 	}
    1469. 

  1469. 	user, err := logic.GetUser(username)
    1470. 

  1470. 	if err != nil {
    1471. 

  1471. 		logger.Log(0, username, "failed to fetch user: ", err.Error())
    1472. 

  1472. 		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch user %s, error: %v", username, err), "badrequest"))
    1473. 

  1473. 		return
    1474. 

  1474. 	}
    1475. 

  1475. 	deviceID := r.URL.Query().Get("device_id")
    1476. 

  1476. 	remoteAccessClientID := r.URL.Query().Get("remote_access_clientid")
    1477. 

  1477. 	var req models.UserRemoteGwsReq
    1478. 

  1478. 	if remoteAccessClientID == "" {
    1479. 

  1479. 		err := json.NewDecoder(r.Body).Decode(&req)
    1480. 

  1480. 		if err != nil {
    1481. 

  1481. 			slog.Error("error decoding request body: ", "error", err)
    1482. 

  1482. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1483. 

  1483. 			return
    1484. 

  1484. 		}
    1485. 

  1485. 	}
    1486. 

  1486. 	reqFromMobile := r.URL.Query().Get("from_mobile") == "true"
    1487. 

  1487. 	if req.RemoteAccessClientID == "" && remoteAccessClientID == "" {
    1488. 

  1488. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("remote access client id cannot be empty"), "badrequest"))
    1489. 

  1489. 		return
    1490. 

  1490. 	}
    1491. 

  1491. 	if req.RemoteAccessClientID == "" {
    1492. 

  1492. 		req.RemoteAccessClientID = remoteAccessClientID
    1493. 

  1493. 	}
    1494. 

  1494. 	userGws := make(map[string][]models.UserRemoteGws)
    1495. 

  1495. 	allextClients, err := logic.GetAllExtClients()
    1496. 

  1496. 	if err != nil {
    1497. 

  1497. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1498. 

  1498. 		return
    1499. 

  1499. 	}
    1500. 

  1500. 	userGwNodes := proLogic.GetUserRAGNodes(*user)
    1501. 

  1501. 

  1502. 	userExtClients := make(map[string][]models.ExtClient)
    1503. 

  1503. 

  1504. 	// group all extclients of the requesting user by ingress
    1505. 

  1505. 	// gateway.
    1506. 

  1506. 	for _, extClient := range allextClients {
    1507. 

  1507. 		// filter our extclients that don't belong to this user.
    1508. 

  1508. 		if extClient.OwnerID != username {
    1509. 

  1509. 			continue
    1510. 

  1510. 		}
    1511. 

  1511. 

  1512. 		if extClient.RemoteAccessClientID == "" {
    1513. 

  1513. 			continue
    1514. 

  1514. 		}
    1515. 

  1515. 

  1516. 		_, ok := userExtClients[extClient.IngressGatewayID]
    1517. 

  1517. 		if !ok {
    1518. 

  1518. 			userExtClients[extClient.IngressGatewayID] = []models.ExtClient{}
    1519. 

  1519. 		}
    1520. 

  1520. 

  1521. 		userExtClients[extClient.IngressGatewayID] = append(userExtClients[extClient.IngressGatewayID], extClient)
    1522. 

  1522. 	}
    1523. 

  1523. 

  1524. 	for ingressGatewayID, extClients := range userExtClients {
    1525. 

  1525. 		logic.SortExtClient(extClients)
    1526. 

  1526. 

  1527. 		node, ok := userGwNodes[ingressGatewayID]
    1528. 

  1528. 		if !ok {
    1529. 

  1529. 			continue
    1530. 

  1530. 		}
    1531. 

  1531. 

  1532. 		var gwClient models.ExtClient
    1533. 

  1533. 		var found bool
    1534. 

  1534. 		if deviceID != "" {
    1535. 

  1535. 			for _, extClient := range extClients {
    1536. 

  1536. 				if extClient.DeviceID == deviceID {
    1537. 

  1537. 					gwClient = extClient
    1538. 

  1538. 					found = true
    1539. 

  1539. 					break
    1540. 

  1540. 				}
    1541. 

  1541. 			}
    1542. 

  1542. 		}
    1543. 

  1543. 

  1544. 		if !found && req.RemoteAccessClientID != "" {
    1545. 

  1545. 			for _, extClient := range extClients {
    1546. 

  1546. 				if extClient.RemoteAccessClientID == req.RemoteAccessClientID {
    1547. 

  1547. 					gwClient = extClient
    1548. 

  1548. 					found = true
    1549. 

  1549. 					break
    1550. 

  1550. 				}
    1551. 

  1551. 			}
    1552. 

  1552. 		}
    1553. 

  1553. 

  1554. 		if !found && len(extClients) > 0 {
    1555. 

  1555. 			// TODO: prevent ip clashes.
    1556. 

  1556. 			gwClient = extClients[0]
    1557. 

  1557. 		}
    1558. 

  1558. 

  1559. 		host, err := logic.GetHost(node.HostID.String())
    1560. 

  1560. 		if err != nil {
    1561. 

  1561. 			continue
    1562. 

  1562. 		}
    1563. 

  1563. 		network, err := logic.GetNetwork(node.Network)
    1564. 

  1564. 		if err != nil {
    1565. 

  1565. 			slog.Error("failed to get node network", "error", err)
    1566. 

  1566. 			continue
    1567. 

  1567. 		}
    1568. 

  1568. 		nodesWithStatus := logic.AddStatusToNodes([]models.Node{node}, false)
    1569. 

  1569. 		if len(nodesWithStatus) > 0 {
    1570. 

  1570. 			node = nodesWithStatus[0]
    1571. 

  1571. 		}
    1572. 

  1572. 

  1573. 		gws := userGws[node.Network]
    1574. 

  1574. 		if gwClient.DNS == "" {
    1575. 

  1575. 			logic.SetDNSOnWgConfig(&node, &gwClient)
    1576. 

  1576. 		}
    1577. 

  1577. 

  1578. 		gwClient.IngressGatewayEndpoint = utils.GetExtClientEndpoint(
    1579. 

  1579. 			host.EndpointIP,
    1580. 

  1580. 			host.EndpointIPv6,
    1581. 

  1581. 			logic.GetPeerListenPort(host),
    1582. 

  1582. 		)
    1583. 

  1583. 		gwClient.AllowedIPs = logic.GetExtclientAllowedIPs(gwClient)
    1584. 

  1584. 		gw := models.UserRemoteGws{
    1585. 

  1585. 			GwID:              node.ID.String(),
    1586. 

  1586. 			GWName:            host.Name,
    1587. 

  1587. 			Network:           node.Network,
    1588. 

  1588. 			GwClient:          gwClient,
    1589. 

  1589. 			Connected:         true,
    1590. 

  1590. 			IsInternetGateway: node.IsInternetGateway,
    1591. 

  1591. 			GwPeerPublicKey:   host.PublicKey.String(),
    1592. 

  1592. 			GwListenPort:      logic.GetPeerListenPort(host),
    1593. 

  1593. 			Metadata:          node.Metadata,
    1594. 

  1594. 			AllowedEndpoints:  getAllowedRagEndpoints(&node, host),
    1595. 

  1595. 			NetworkAddresses:  []string{network.AddressRange, network.AddressRange6},
    1596. 

  1596. 			Status:            node.Status,
    1597. 

  1597. 			ManageDNS:         host.DNS == "yes",
    1598. 

  1598. 			DnsAddress:        node.IngressDNS,
    1599. 

  1599. 			Addresses:         utils.NoEmptyStringToCsv(node.Address.String(), node.Address6.String()),
    1600. 

  1600. 		}
    1601. 

  1601. 		if !node.IsInternetGateway {
    1602. 

  1602. 			hNs := logic.GetNameserversForNode(&node)
    1603. 

  1603. 			for _, nsI := range hNs {
    1604. 

  1604. 				gw.MatchDomains = append(gw.MatchDomains, nsI.MatchDomain)
    1605. 

  1605. 			}
    1606. 

  1606. 		}
    1607. 

  1607. 		gw.MatchDomains = append(gw.MatchDomains, logic.GetEgressDomainsByAccess(user, models.NetworkID(node.Network))...)
    1608. 

  1608. 		gws = append(gws, gw)
    1609. 

  1609. 		userGws[node.Network] = gws
    1610. 

  1610. 		delete(userGwNodes, node.ID.String())
    1611. 

  1611. 	}
    1612. 

  1612. 

  1613. 	// add remaining gw nodes to resp
    1614. 

  1614. 	for gwID := range userGwNodes {
    1615. 

  1615. 		node, err := logic.GetNodeByID(gwID)
    1616. 

  1616. 		if err != nil {
    1617. 

  1617. 			continue
    1618. 

  1618. 		}
    1619. 

  1619. 		if !node.IsIngressGateway {
    1620. 

  1620. 			continue
    1621. 

  1621. 		}
    1622. 

  1622. 		if node.PendingDelete {
    1623. 

  1623. 			continue
    1624. 

  1624. 		}
    1625. 

  1625. 		host, err := logic.GetHost(node.HostID.String())
    1626. 

  1626. 		if err != nil {
    1627. 

  1627. 			continue
    1628. 

  1628. 		}
    1629. 

  1629. 		nodesWithStatus := logic.AddStatusToNodes([]models.Node{node}, false)
    1630. 

  1630. 		if len(nodesWithStatus) > 0 {
    1631. 

  1631. 			node = nodesWithStatus[0]
    1632. 

  1632. 		}
    1633. 

  1633. 		network, err := logic.GetNetwork(node.Network)
    1634. 

  1634. 		if err != nil {
    1635. 

  1635. 			slog.Error("failed to get node network", "error", err)
    1636. 

  1636. 		}
    1637. 

  1637. 		gws := userGws[node.Network]
    1638. 

  1638. 		gw := models.UserRemoteGws{
    1639. 

  1639. 			GwID:              node.ID.String(),
    1640. 

  1640. 			GWName:            host.Name,
    1641. 

  1641. 			Network:           node.Network,
    1642. 

  1642. 			IsInternetGateway: node.IsInternetGateway,
    1643. 

  1643. 			GwPeerPublicKey:   host.PublicKey.String(),
    1644. 

  1644. 			GwListenPort:      logic.GetPeerListenPort(host),
    1645. 

  1645. 			Metadata:          node.Metadata,
    1646. 

  1646. 			AllowedEndpoints:  getAllowedRagEndpoints(&node, host),
    1647. 

  1647. 			NetworkAddresses:  []string{network.AddressRange, network.AddressRange6},
    1648. 

  1648. 			Status:            node.Status,
    1649. 

  1649. 			ManageDNS:         host.DNS == "yes",
    1650. 

  1650. 			DnsAddress:        node.IngressDNS,
    1651. 

  1651. 			Addresses:         utils.NoEmptyStringToCsv(node.Address.String(), node.Address6.String()),
    1652. 

  1652. 		}
    1653. 

  1653. 		if !node.IsInternetGateway {
    1654. 

  1654. 			hNs := logic.GetNameserversForNode(&node)
    1655. 

  1655. 			for _, nsI := range hNs {
    1656. 

  1656. 				gw.MatchDomains = append(gw.MatchDomains, nsI.MatchDomain)
    1657. 

  1657. 			}
    1658. 

  1658. 		}
    1659. 

  1659. 		gw.MatchDomains = append(gw.MatchDomains, logic.GetEgressDomainsByAccess(user, models.NetworkID(node.Network))...)
    1660. 

  1660. 		gws = append(gws, gw)
    1661. 

  1661. 		userGws[node.Network] = gws
    1662. 

  1662. 	}
    1663. 

  1663. 

  1664. 	if reqFromMobile {
    1665. 

  1665. 		// send resp in array format
    1666. 

  1666. 		userGwsArr := []models.UserRemoteGws{}
    1667. 

  1667. 		for _, userGwI := range userGws {
    1668. 

  1668. 			userGwsArr = append(userGwsArr, userGwI...)
    1669. 

  1669. 		}
    1670. 

  1670. 		logic.ReturnSuccessResponseWithJson(w, r, userGwsArr, "fetched gateways for user"+username)
    1671. 

  1671. 		return
    1672. 

  1672. 	}
    1673. 

  1673. 	slog.Debug("returned user gws", "user", username, "gws", userGws)
    1674. 

  1674. 	w.WriteHeader(http.StatusOK)
    1675. 

  1675. 	json.NewEncoder(w).Encode(userGws)
    1676. 

  1676. }
    1677. 

  1677. 

  1678. // @Summary     List users attached to an remote access gateway
    1679. 

  1679. // @Router      /api/nodes/{network}/{nodeid}/ingress/users [get]
    1680. 

  1680. // @Tags        PRO
    1681. 

  1681. // @Accept      json
    1682. 

  1682. // @Produce     json
    1683. 

  1683. // @Param       ingress_id path string true "Ingress Gateway ID"
    1684. 

  1684. // @Success     200 {array} models.IngressGwUsers
    1685. 

  1685. // @Failure     400 {object} models.ErrorResponse
    1686. 

  1686. // @Failure     500 {object} models.ErrorResponse
    1687. 

  1687. func ingressGatewayUsers(w http.ResponseWriter, r *http.Request) {
    1688. 

  1688. 	w.Header().Set("Content-Type", "application/json")
    1689. 

  1689. 	var params = mux.Vars(r)
    1690. 

  1690. 	ingressID := params["ingress_id"]
    1691. 

  1691. 	node, err := logic.GetNodeByID(ingressID)
    1692. 

  1692. 	if err != nil {
    1693. 

  1693. 		slog.Error("failed to get ingress node", "error", err)
    1694. 

  1694. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1695. 

  1695. 		return
    1696. 

  1696. 	}
    1697. 

  1697. 	gwUsers, err := logic.GetIngressGwUsers(node)
    1698. 

  1698. 	if err != nil {
    1699. 

  1699. 		slog.Error(
    1700. 

  1700. 			"failed to get users on ingress gateway",
    1701. 

  1701. 			"nodeid",
    1702. 

  1702. 			ingressID,
    1703. 

  1703. 			"network",
    1704. 

  1704. 			node.Network,
    1705. 

  1705. 			"user",
    1706. 

  1706. 			r.Header.Get("user"),
    1707. 

  1707. 			"error",
    1708. 

  1708. 			err,
    1709. 

  1709. 		)
    1710. 

  1710. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1711. 

  1711. 		return
    1712. 

  1712. 	}
    1713. 

  1713. 	w.WriteHeader(http.StatusOK)
    1714. 

  1714. 	json.NewEncoder(w).Encode(gwUsers)
    1715. 

  1715. }
    1716. 

  1716. 

  1717. func getAllowedRagEndpoints(ragNode *models.Node, ragHost *models.Host) []string {
    1718. 

  1718. 	endpoints := []string{}
    1719. 

  1719. 	if len(ragHost.EndpointIP) > 0 {
    1720. 

  1720. 		endpoints = append(endpoints, ragHost.EndpointIP.String())
    1721. 

  1721. 	}
    1722. 

  1722. 	if len(ragHost.EndpointIPv6) > 0 {
    1723. 

  1723. 		endpoints = append(endpoints, ragHost.EndpointIPv6.String())
    1724. 

  1724. 	}
    1725. 

  1725. 	if servercfg.IsPro {
    1726. 

  1726. 		for _, ip := range ragNode.AdditionalRagIps {
    1727. 

  1727. 			endpoints = append(endpoints, ip.String())
    1728. 

  1728. 		}
    1729. 

  1729. 	}
    1730. 

  1730. 	return endpoints
    1731. 

  1731. }
    1732. 

  1732. 

  1733. // @Summary     Get all pending users
    1734. 

  1734. // @Router      /api/users_pending [get]
    1735. 

  1735. // @Tags        Users
    1736. 

  1736. // @Success     200 {array} models.User
    1737. 

  1737. // @Failure     500 {object} models.ErrorResponse
    1738. 

  1738. func getPendingUsers(w http.ResponseWriter, r *http.Request) {
    1739. 

  1739. 	// set header.
    1740. 

  1740. 	w.Header().Set("Content-Type", "application/json")
    1741. 

  1741. 

  1742. 	users, err := logic.ListPendingReturnUsers()
    1743. 

  1743. 	if err != nil {
    1744. 

  1744. 		logger.Log(0, "failed to fetch users: ", err.Error())
    1745. 

  1745. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1746. 

  1746. 		return
    1747. 

  1747. 	}
    1748. 

  1748. 

  1749. 	logic.SortUsers(users[:])
    1750. 

  1750. 	logger.Log(2, r.Header.Get("user"), "fetched pending users")
    1751. 

  1751. 	json.NewEncoder(w).Encode(users)
    1752. 

  1752. }
    1753. 

  1753. 

  1754. // @Summary     Approve a pending user
    1755. 

  1755. // @Router      /api/users_pending/user/{username} [post]
    1756. 

  1756. // @Tags        Users
    1757. 

  1757. // @Param       username path string true "Username of the pending user to approve"
    1758. 

  1758. // @Success     200 {string} string
    1759. 

  1759. // @Failure     500 {object} models.ErrorResponse
    1760. 

  1760. func approvePendingUser(w http.ResponseWriter, r *http.Request) {
    1761. 

  1761. 	// set header.
    1762. 

  1762. 	w.Header().Set("Content-Type", "application/json")
    1763. 

  1763. 	var params = mux.Vars(r)
    1764. 

  1764. 	username := params["username"]
    1765. 

  1765. 	users, err := logic.ListPendingUsers()
    1766. 

  1766. 

  1767. 	if err != nil {
    1768. 

  1768. 		logger.Log(0, "failed to fetch users: ", err.Error())
    1769. 

  1769. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1770. 

  1770. 		return
    1771. 

  1771. 	}
    1772. 

  1772. 	for _, user := range users {
    1773. 

  1773. 		if user.UserName == username {
    1774. 

  1774. 			var newPass, fetchErr = logic.FetchPassValue("")
    1775. 

  1775. 			if fetchErr != nil {
    1776. 

  1776. 				logic.ReturnErrorResponse(w, r, logic.FormatError(fetchErr, "internal"))
    1777. 

  1777. 				return
    1778. 

  1778. 			}
    1779. 

  1779. 			if err = logic.CreateUser(&models.User{
    1780. 

  1780. 				UserName:                   user.UserName,
    1781. 

  1781. 				ExternalIdentityProviderID: user.ExternalIdentityProviderID,
    1782. 

  1782. 				Password:                   newPass,
    1783. 

  1783. 				AuthType:                   user.AuthType,
    1784. 

  1784. 				PlatformRoleID:             models.ServiceUser,
    1785. 

  1785. 			}); err != nil {
    1786. 

  1786. 				logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to create user: %s", err), "internal"))
    1787. 

  1787. 				return
    1788. 

  1788. 			}
    1789. 

  1789. 			err = logic.DeletePendingUser(username)
    1790. 

  1790. 			if err != nil {
    1791. 

  1791. 				logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to delete pending user: %s", err), "internal"))
    1792. 

  1792. 				return
    1793. 

  1793. 			}
    1794. 

  1794. 			break
    1795. 

  1795. 		}
    1796. 

  1796. 	}
    1797. 

  1797. 	logic.LogEvent(&models.Event{
    1798. 

  1798. 		Action: models.Create,
    1799. 

  1799. 		Source: models.Subject{
    1800. 

  1800. 			ID:   r.Header.Get("user"),
    1801. 

  1801. 			Name: r.Header.Get("user"),
    1802. 

  1802. 			Type: models.UserSub,
    1803. 

  1803. 		},
    1804. 

  1804. 		TriggeredBy: r.Header.Get("user"),
    1805. 

  1805. 		Target: models.Subject{
    1806. 

  1806. 			ID:   username,
    1807. 

  1807. 			Name: username,
    1808. 

  1808. 			Type: models.PendingUserSub,
    1809. 

  1809. 		},
    1810. 

  1810. 		Origin: models.Dashboard,
    1811. 

  1811. 	})
    1812. 

  1812. 	logic.ReturnSuccessResponse(w, r, "approved "+username)
    1813. 

  1813. }
    1814. 

  1814. 

  1815. // @Summary     Delete a pending user
    1816. 

  1816. // @Router      /api/users_pending/user/{username} [delete]
    1817. 

  1817. // @Tags        Users
    1818. 

  1818. // @Param       username path string true "Username of the pending user to delete"
    1819. 

  1819. // @Success     200 {string} string
    1820. 

  1820. // @Failure     500 {object} models.ErrorResponse
    1821. 

  1821. func deletePendingUser(w http.ResponseWriter, r *http.Request) {
    1822. 

  1822. 	// set header.
    1823. 

  1823. 	w.Header().Set("Content-Type", "application/json")
    1824. 

  1824. 	var params = mux.Vars(r)
    1825. 

  1825. 	username := params["username"]
    1826. 

  1826. 	users, err := logic.ListPendingReturnUsers()
    1827. 

  1827. 

  1828. 	if err != nil {
    1829. 

  1829. 		logger.Log(0, "failed to fetch users: ", err.Error())
    1830. 

  1830. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1831. 

  1831. 		return
    1832. 

  1832. 	}
    1833. 

  1833. 	for _, user := range users {
    1834. 

  1834. 		if user.UserName == username {
    1835. 

  1835. 			err = logic.DeletePendingUser(username)
    1836. 

  1836. 			if err != nil {
    1837. 

  1837. 				logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to delete pending user: %s", err), "internal"))
    1838. 

  1838. 				return
    1839. 

  1839. 			}
    1840. 

  1840. 			break
    1841. 

  1841. 		}
    1842. 

  1842. 	}
    1843. 

  1843. 	logic.LogEvent(&models.Event{
    1844. 

  1844. 		Action: models.Delete,
    1845. 

  1845. 		Source: models.Subject{
    1846. 

  1846. 			ID:   r.Header.Get("user"),
    1847. 

  1847. 			Name: r.Header.Get("user"),
    1848. 

  1848. 			Type: models.UserSub,
    1849. 

  1849. 		},
    1850. 

  1850. 		TriggeredBy: r.Header.Get("user"),
    1851. 

  1851. 		Target: models.Subject{
    1852. 

  1852. 			ID:   username,
    1853. 

  1853. 			Name: username,
    1854. 

  1854. 			Type: models.PendingUserSub,
    1855. 

  1855. 		},
    1856. 

  1856. 		Origin: models.Dashboard,
    1857. 

  1857. 	})
    1858. 

  1858. 	logic.ReturnSuccessResponse(w, r, "deleted pending "+username)
    1859. 

  1859. }
    1860. 

  1860. 

  1861. // @Summary     Delete all pending users
    1862. 

  1862. // @Router      /api/users_pending [delete]
    1863. 

  1863. // @Tags        Users
    1864. 

  1864. // @Success     200 {string} string
    1865. 

  1865. // @Failure     500 {object} models.ErrorResponse
    1866. 

  1866. func deleteAllPendingUsers(w http.ResponseWriter, r *http.Request) {
    1867. 

  1867. 	// set header.
    1868. 

  1868. 	err := database.DeleteAllRecords(database.PENDING_USERS_TABLE_NAME)
    1869. 

  1869. 	if err != nil {
    1870. 

  1870. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("failed to delete all pending users "+err.Error()), "internal"))
    1871. 

  1871. 		return
    1872. 

  1872. 	}
    1873. 

  1873. 	logic.LogEvent(&models.Event{
    1874. 

  1874. 		Action: models.DeleteAll,
    1875. 

  1875. 		Source: models.Subject{
    1876. 

  1876. 			ID:   r.Header.Get("user"),
    1877. 

  1877. 			Name: r.Header.Get("user"),
    1878. 

  1878. 			Type: models.UserSub,
    1879. 

  1879. 		},
    1880. 

  1880. 		TriggeredBy: r.Header.Get("user"),
    1881. 

  1881. 		Target: models.Subject{
    1882. 

  1882. 			ID:   r.Header.Get("user"),
    1883. 

  1883. 			Name: r.Header.Get("user"),
    1884. 

  1884. 			Type: models.PendingUserSub,
    1885. 

  1885. 		},
    1886. 

  1886. 		Origin: models.Dashboard,
    1887. 

  1887. 	})
    1888. 

  1888. 	logic.ReturnSuccessResponse(w, r, "cleared all pending users")
    1889. 

  1889. }
    1890. 

  1890. 

  1891. // @Summary     Sync users and groups from idp.
    1892. 

  1892. // @Router      /api/idp/sync [post]
    1893. 

  1893. // @Tags        IDP
    1894. 

  1894. // @Success     200 {object} models.SuccessResponse
    1895. 

  1895. func syncIDP(w http.ResponseWriter, r *http.Request) {
    1896. 

  1896. 	go func() {
    1897. 

  1897. 		err := proAuth.SyncFromIDP()
    1898. 

  1898. 		if err != nil {
    1899. 

  1899. 			logger.Log(0, "failed to sync from idp: ", err.Error())
    1900. 

  1900. 		} else {
    1901. 

  1901. 			logger.Log(0, "sync from idp complete")
    1902. 

  1902. 		}
    1903. 

  1903. 	}()
    1904. 

  1904. 

  1905. 	logic.ReturnSuccessResponse(w, r, "starting sync from idp")
    1906. 

  1906. }
    1907. 

  1907. 

  1908. // @Summary     Test IDP Sync Credentials.
    1909. 

  1909. // @Router      /api/idp/sync/test [post]
    1910. 

  1910. // @Tags        IDP
    1911. 

  1911. // @Success     200 {object} models.SuccessResponse
    1912. 

  1912. // @Failure     400 {object} models.ErrorResponse
    1913. 

  1913. func testIDPSync(w http.ResponseWriter, r *http.Request) {
    1914. 

  1914. 	var req models.IDPSyncTestRequest
    1915. 

  1915. 	err := json.NewDecoder(r.Body).Decode(&req)
    1916. 

  1916. 	if err != nil {
    1917. 

  1917. 		err = fmt.Errorf("failed to decode request body: %v", err)
    1918. 

  1918. 		logger.Log(0, err.Error())
    1919. 

  1919. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1920. 

  1920. 		return
    1921. 

  1921. 	}
    1922. 

  1922. 

  1923. 	var idpClient idp.Client
    1924. 

  1924. 	switch req.AuthProvider {
    1925. 

  1925. 	case "google":
    1926. 

  1926. 		idpClient, err = google.NewGoogleWorkspaceClient(req.GoogleAdminEmail, req.GoogleSACredsJson)
    1927. 

  1927. 		if err != nil {
    1928. 

  1928. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1929. 

  1929. 			return
    1930. 

  1930. 		}
    1931. 

  1931. 	case "azure-ad":
    1932. 

  1932. 		idpClient = azure.NewAzureEntraIDClient(req.ClientID, req.ClientSecret, req.AzureTenantID)
    1933. 

  1933. 	case "okta":
    1934. 

  1934. 		idpClient, err = okta.NewOktaClient(req.OktaOrgURL, req.OktaAPIToken)
    1935. 

  1935. 		if err != nil {
    1936. 

  1936. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1937. 

  1937. 			return
    1938. 

  1938. 		}
    1939. 

  1939. 	default:
    1940. 

  1940. 		err = fmt.Errorf("invalid auth provider: %s", req.AuthProvider)
    1941. 

  1941. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1942. 

  1942. 		return
    1943. 

  1943. 	}
    1944. 

  1944. 

  1945. 	err = idpClient.Verify()
    1946. 

  1946. 	if err != nil {
    1947. 

  1947. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1948. 

  1948. 		return
    1949. 

  1949. 	}
    1950. 

  1950. 

  1951. 	logic.ReturnSuccessResponse(w, r, "idp sync test successful")
    1952. 

  1952. }
    1953. 

  1953. 

  1954. // @Summary     Gets idp sync status.
    1955. 

  1955. // @Router      /api/idp/sync/status [get]
    1956. 

  1956. // @Tags        IDP
    1957. 

  1957. // @Success     200 {object} models.SuccessResponse
    1958. 

  1958. func getIDPSyncStatus(w http.ResponseWriter, r *http.Request) {
    1959. 

  1959. 	logic.ReturnSuccessResponseWithJson(w, r, proAuth.GetIDPSyncStatus(), "idp sync status retrieved")
    1960. 

  1960. }
    1961. 

  1961. 

  1962. // @Summary     Remove idp integration.
    1963. 

  1963. // @Router      /api/idp [delete]
    1964. 

  1964. // @Tags        IDP
    1965. 

  1965. // @Success     200 {object} models.SuccessResponse
    1966. 

  1966. // @Failure     500 {object} models.ErrorResponse
    1967. 

  1967. func removeIDPIntegration(w http.ResponseWriter, r *http.Request) {
    1968. 

  1968. 	superAdmin, err := logic.GetSuperAdmin()
    1969. 

  1969. 	if err != nil {
    1970. 

  1970. 		logic.ReturnErrorResponse(
    1971. 

  1971. 			w,
    1972. 

  1972. 			r,
    1973. 

  1973. 			logic.FormatError(fmt.Errorf("failed to get superadmin: %v", err), "internal"),
    1974. 

  1974. 		)
    1975. 

  1975. 		return
    1976. 

  1976. 	}
    1977. 

  1977. 

  1978. 	if superAdmin.AuthType == models.OAuth {
    1979. 

  1979. 		err := fmt.Errorf(
    1980. 

  1980. 			"cannot remove IdP integration because an OAuth user has the super-admin role; transfer the super-admin role to another user first",
    1981. 

  1981. 		)
    1982. 

  1982. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1983. 

  1983. 		return
    1984. 

  1984. 	}
    1985. 

  1985. 

  1986. 	settings := logic.GetServerSettings()
    1987. 

  1987. 	settings.AuthProvider = ""
    1988. 

  1988. 	settings.OIDCIssuer = ""
    1989. 

  1989. 	settings.ClientID = ""
    1990. 

  1990. 	settings.ClientSecret = ""
    1991. 

  1991. 	settings.SyncEnabled = false
    1992. 

  1992. 	settings.GoogleAdminEmail = ""
    1993. 

  1993. 	settings.GoogleSACredsJson = ""
    1994. 

  1994. 	settings.AzureTenant = ""
    1995. 

  1995. 	settings.UserFilters = nil
    1996. 

  1996. 	settings.GroupFilters = nil
    1997. 

  1997. 

  1998. 	err = logic.UpsertServerSettings(settings)
    1999. 

  1999. 	if err != nil {
    2000. 

  2000. 		logic.ReturnErrorResponse(
    2001. 

  2001. 			w,
    2002. 

  2002. 			r,
    2003. 

  2003. 			logic.FormatError(fmt.Errorf("failed to remove idp integration: %v", err), "internal"),
    2004. 

  2004. 		)
    2005. 

  2005. 		return
    2006. 

  2006. 	}
    2007. 

  2007. 

  2008. 	proAuth.ResetAuthProvider()
    2009. 

  2009. 	proAuth.ResetIDPSyncHook()
    2010. 

  2010. 

  2011. 	go func() {
    2012. 

  2012. 		err := proAuth.SyncFromIDP()
    2013. 

  2013. 		if err != nil {
    2014. 

  2014. 			logger.Log(0, "failed to sync from idp: ", err.Error())
    2015. 

  2015. 		} else {
    2016. 

  2016. 			logger.Log(0, "sync from idp complete")
    2017. 

  2017. 		}
    2018. 

  2018. 	}()
    2019. 

  2019. 

  2020. 	logic.ReturnSuccessResponse(w, r, "removed idp integration successfully")
    2021. 

  2021. }
    2022.