| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470 |
- package controller
- import (
- "gopkg.in/go-playground/validator.v9"
- "github.com/gravitl/netmaker/models"
- "github.com/gravitl/netmaker/functions"
- "github.com/gravitl/netmaker/mongoconn"
- "golang.org/x/crypto/bcrypt"
- "time"
- "strings"
- "fmt"
- "context"
- "encoding/json"
- "net/http"
- "github.com/gorilla/mux"
- "go.mongodb.org/mongo-driver/bson"
- "go.mongodb.org/mongo-driver/mongo/options"
- "go.mongodb.org/mongo-driver/mongo"
- )
- func userHandlers(r *mux.Router) {
- r.HandleFunc("/users/hasadmin", hasAdmin).Methods("GET")
- r.HandleFunc("/users/createadmin", createAdmin).Methods("POST")
- r.HandleFunc("/users/{username}", authorizeUser(http.HandlerFunc(updateUser))).Methods("PUT")
- r.HandleFunc("/users/{username}", authorizeUser(http.HandlerFunc(deleteUser))).Methods("DELETE")
- r.HandleFunc("/users/{username}", authorizeUser(http.HandlerFunc(getUser))).Methods("GET")
- r.HandleFunc("/users/authenticate", authenticateUser).Methods("POST")
- }
- //Node authenticates using its password and retrieves a JWT for authorization.
- func authenticateUser(response http.ResponseWriter, request *http.Request) {
- //Auth request consists of Mac Address and Password (from node that is authorizing
- //in case of Master, auth is ignored and mac is set to "mastermac"
- var authRequest models.UserAuthParams
- var result models.User
- var errorResponse = models.ErrorResponse{
- Code: http.StatusInternalServerError, Message: "W1R3: It's not you it's me.",
- }
- decoder := json.NewDecoder(request.Body)
- decoderErr := decoder.Decode(&authRequest)
- defer request.Body.Close()
- if decoderErr != nil {
- returnErrorResponse(response, request, errorResponse)
- } else {
- errorResponse.Code = http.StatusBadRequest
- if authRequest.UserName == "" {
- errorResponse.Message = "W1R3: Username can't be empty"
- returnErrorResponse(response, request, errorResponse)
- } else if authRequest.Password == "" {
- errorResponse.Message = "W1R3: Password can't be empty"
- returnErrorResponse(response, request, errorResponse)
- } else {
- //Search DB for node with Mac Address. Ignore pending nodes (they should not be able to authenticate with API untill approved).
- collection := mongoconn.Client.Database("wirecat").Collection("users")
- ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
- var err = collection.FindOne(ctx, bson.M{ "username": authRequest.UserName }).Decode(&result)
- defer cancel()
- if err != nil {
- returnErrorResponse(response, request, errorResponse)
- }
- //compare password from request to stored password in database
- //might be able to have a common hash (certificates?) and compare those so that a password isn't passed in in plain text...
- //TODO: Consider a way of hashing the password client side before sending, or using certificates
- err = bcrypt.CompareHashAndPassword([]byte(result.Password), []byte(authRequest.Password))
- if err != nil {
- returnErrorResponse(response, request, errorResponse)
- } else {
- //Create a new JWT for the node
- tokenString, _ := functions.CreateUserJWT(authRequest.UserName, result.IsAdmin)
- if tokenString == "" {
- returnErrorResponse(response, request, errorResponse)
- }
- var successResponse = models.SuccessResponse{
- Code: http.StatusOK,
- Message: "W1R3: Device " + authRequest.UserName + " Authorized",
- Response: models.SuccessfulUserLoginResponse{
- AuthToken: tokenString,
- UserName: authRequest.UserName,
- },
- }
- //Send back the JWT
- successJSONResponse, jsonError := json.Marshal(successResponse)
- if jsonError != nil {
- returnErrorResponse(response, request, errorResponse)
- }
- response.Header().Set("Content-Type", "application/json")
- response.Write(successJSONResponse)
- }
- }
- }
- }
- //The middleware for most requests to the API
- //They all pass through here first
- //This will validate the JWT (or check for master token)
- //This will also check against the authGroup and make sure the node should be accessing that endpoint,
- //even if it's technically ok
- //This is kind of a poor man's RBAC. There's probably a better/smarter way.
- //TODO: Consider better RBAC implementations
- func authorizeUser(next http.Handler) http.HandlerFunc {
- return func(w http.ResponseWriter, r *http.Request) {
- var errorResponse = models.ErrorResponse{
- Code: http.StatusInternalServerError, Message: "W1R3: It's not you it's me.",
- }
- w.Header().Set("Content-Type", "application/json")
- //get the auth token
- bearerToken := r.Header.Get("Authorization")
- var tokenSplit = strings.Split(bearerToken, " ")
- //I put this in in case the user doesn't put in a token at all (in which case it's empty)
- //There's probably a smarter way of handling this.
- var authToken = "928rt238tghgwe@TY@$Y@#WQAEGB2FC#@HG#@$Hddd"
- if len(tokenSplit) > 1 {
- authToken = tokenSplit[1]
- } else {
- errorResponse = models.ErrorResponse{
- Code: http.StatusUnauthorized, Message: "W1R3: Missing Auth Token.",
- }
- returnErrorResponse(w, r, errorResponse)
- }
- //This checks if
- //A: the token is the master password
- //B: the token corresponds to a mac address, and if so, which one
- //TODO: There's probably a better way of dealing with the "master token"/master password. Plz Halp.
- username, _, err := functions.VerifyUserToken(authToken)
- if err != nil {
- errorResponse = models.ErrorResponse{
- Code: http.StatusUnauthorized, Message: "W1R3: Error Verifying Auth Token.",
- }
- returnErrorResponse(w, r, errorResponse)
- }
- isAuthorized := username != ""
- if !isAuthorized {
- errorResponse = models.ErrorResponse{
- Code: http.StatusUnauthorized, Message: "W1R3: You are unauthorized to access this endpoint.",
- }
- returnErrorResponse(w, r, errorResponse)
- } else {
- //If authorized, this function passes along it's request and output to the appropriate route function.
- next.ServeHTTP(w, r)
- }
- }
- }
- func HasAdmin() (bool, error){
- collection := mongoconn.Client.Database("wirecat").Collection("users")
- ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
- filter := bson.M{"isadmin": true}
- //Filtering out the ID field cuz Dillon doesn't like it. May want to filter out other fields in the future
- var result bson.M
- err := collection.FindOne(ctx, filter).Decode(&result)
- defer cancel()
- if err != nil {
- if err == mongo.ErrNoDocuments {
- return false, err
- }
- fmt.Println(err)
- }
- return true, err
- }
- func hasAdmin(w http.ResponseWriter, r *http.Request) {
- w.Header().Set("Content-Type", "application/json")
- hasadmin, _ := HasAdmin()
- //Returns all the nodes in JSON format
- json.NewEncoder(w).Encode(hasadmin)
- }
- func GetUser(username string) (models.User, error) {
- var user models.User
- collection := mongoconn.Client.Database("wirecat").Collection("users")
- ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
- filter := bson.M{"username": username}
- err := collection.FindOne(ctx, filter, options.FindOne().SetProjection(bson.M{"_id": 0})).Decode(&user)
- defer cancel()
- return user, err
- }
- //Get an individual node. Nothin fancy here folks.
- func getUser(w http.ResponseWriter, r *http.Request) {
- // set header.
- w.Header().Set("Content-Type", "application/json")
- var params = mux.Vars(r)
- user, err := GetUser(params["username"])
- if err != nil {
- mongoconn.GetError(err, w)
- return
- }
- json.NewEncoder(w).Encode(user)
- }
- func CreateUser(user models.User) (models.User, error) {
- //encrypt that password so we never see it again
- hash, err := bcrypt.GenerateFromPassword([]byte(user.Password), 5)
- if err != nil {
- return user, err
- }
- //set password to encrypted password
- user.Password = string(hash)
- tokenString, _ := functions.CreateUserJWT(user.UserName, user.IsAdmin)
- if tokenString == "" {
- //returnErrorResponse(w, r, errorResponse)
- return user, err
- }
- // connect db
- collection := mongoconn.Client.Database("wirecat").Collection("users")
- ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
- // insert our node to the node db.
- result, err := collection.InsertOne(ctx, user)
- _ = result
- defer cancel()
- return user, err
- }
- func createAdmin(w http.ResponseWriter, r *http.Request) {
- w.Header().Set("Content-Type", "application/json")
- var errorResponse = models.ErrorResponse{
- Code: http.StatusInternalServerError, Message: "W1R3: It's not you it's me.",
- }
- hasadmin, err := HasAdmin()
- if hasadmin {
- errorResponse = models.ErrorResponse{
- Code: http.StatusUnauthorized, Message: "W1R3: Admin already exists! ",
- }
- returnErrorResponse(w, r, errorResponse)
- return
- }
- var admin models.User
- //get node from body of request
- _ = json.NewDecoder(r.Body).Decode(&admin)
- admin.IsAdmin = true
- err = ValidateUser("create", admin)
- if err != nil {
- json.NewEncoder(w).Encode(err)
- return
- }
- admin, err = CreateUser(admin)
- if err != nil {
- json.NewEncoder(w).Encode(err)
- return
- }
- json.NewEncoder(w).Encode(admin)
- }
- func UpdateUser(userchange models.User, user models.User) (models.User, error) {
- queryUser := user.UserName
- if userchange.UserName != "" {
- user.UserName = userchange.UserName
- }
- if userchange.Password != "" {
- //encrypt that password so we never see it again
- hash, err := bcrypt.GenerateFromPassword([]byte(userchange.Password), 5)
- if err != nil {
- return userchange, err
- }
- //set password to encrypted password
- userchange.Password = string(hash)
- user.Password = userchange.Password
- }
- //collection := mongoconn.ConnectDB()
- collection := mongoconn.Client.Database("wirecat").Collection("users")
- ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
- // Create filter
- filter := bson.M{"username": queryUser}
- fmt.Println("Updating User " + user.UserName)
- // prepare update model.
- update := bson.D{
- {"$set", bson.D{
- {"username", user.UserName},
- {"password", user.Password},
- {"isadmin", user.IsAdmin},
- }},
- }
- var userupdate models.User
- errN := collection.FindOneAndUpdate(ctx, filter, update).Decode(&userupdate)
- if errN != nil {
- fmt.Println("Could not update: ")
- fmt.Println(errN)
- } else {
- fmt.Println("User updated successfully.")
- }
- defer cancel()
- return userupdate, errN
- }
- func updateUser(w http.ResponseWriter, r *http.Request) {
- w.Header().Set("Content-Type", "application/json")
- var params = mux.Vars(r)
- var user models.User
- //start here
- user, err := GetUser(params["username"])
- if err != nil {
- json.NewEncoder(w).Encode(err)
- return
- }
- var userchange models.User
- // we decode our body request params
- err = json.NewDecoder(r.Body).Decode(&userchange)
- if err != nil {
- json.NewEncoder(w).Encode(err)
- return
- }
- userchange.IsAdmin = true
- err = ValidateUser("update", userchange)
- if err != nil {
- json.NewEncoder(w).Encode(err)
- return
- }
- user, err = UpdateUser(userchange, user)
- if err != nil {
- json.NewEncoder(w).Encode(err)
- return
- }
- json.NewEncoder(w).Encode(user)
- }
- func DeleteUser(user string) (bool, error) {
- deleted := false
- collection := mongoconn.Client.Database("wirecat").Collection("users")
- filter := bson.M{"username": user}
- ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
- result, err := collection.DeleteOne(ctx, filter)
- deletecount := result.DeletedCount
- if deletecount > 0 {
- deleted = true
- }
- defer cancel()
- return deleted, err
- }
- func deleteUser(w http.ResponseWriter, r *http.Request) {
- // Set header
- w.Header().Set("Content-Type", "application/json")
- // get params
- var params = mux.Vars(r)
- success, err := DeleteUser(params["username"])
- if err != nil || !success {
- http.Error(w, err.Error(), 400)
- json.NewEncoder(w).Encode("Could not delete user " + params["username"])
- return
- }
- json.NewEncoder(w).Encode(params["username"] + " deleted.")
- }
- func ValidateUser(operation string, user models.User) error {
- v := validator.New()
- _ = v.RegisterValidation("username_unique", func(fl validator.FieldLevel) bool {
- _, err := GetUser(user.UserName)
- return err == nil || operation == "update"
- })
- _ = v.RegisterValidation("username_valid", func(fl validator.FieldLevel) bool {
- isvalid := functions.NameInNodeCharSet(user.UserName)
- return isvalid
- })
- _ = v.RegisterValidation("password_check", func(fl validator.FieldLevel) bool {
- notEmptyCheck := user.Password != ""
- goodLength := len(user.Password) > 5
- return (notEmptyCheck && goodLength) || operation == "update"
- })
- err := v.Struct(user)
- if err != nil {
- for _, e := range err.(validator.ValidationErrors) {
- fmt.Println(e)
- }
- }
- return err
- }
|
