golang
/
netmaker
mirror of https://github.com/gravitl/netmaker


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918
							package controller

import (
	"context"
	"encoding/json"
	"errors"
	"fmt"
	"log"
	"net/http"
	"strings"
	"time"

	"github.com/gorilla/mux"
	"github.com/gravitl/netmaker/functions"
	"github.com/gravitl/netmaker/models"
	"github.com/gravitl/netmaker/mongoconn"
	"go.mongodb.org/mongo-driver/bson"
	"go.mongodb.org/mongo-driver/mongo/options"
	"golang.org/x/crypto/bcrypt"
)

func nodeHandlers(r *mux.Router) {

	r.HandleFunc("/api/nodes", authorize(false, "master", http.HandlerFunc(getAllNodes))).Methods("GET")
	r.HandleFunc("/api/nodes/{network}", authorize(true, "network", http.HandlerFunc(getNetworkNodes))).Methods("GET")
	r.HandleFunc("/api/nodes/{network}/{macaddress}", authorize(true, "node", http.HandlerFunc(getNode))).Methods("GET")
	r.HandleFunc("/api/nodes/{network}/{macaddress}", authorize(true, "node", http.HandlerFunc(updateNode))).Methods("PUT")
	r.HandleFunc("/api/nodes/{network}/{macaddress}", authorize(true, "node", http.HandlerFunc(deleteNode))).Methods("DELETE")
	r.HandleFunc("/api/nodes/{network}/{macaddress}/checkin", authorize(true, "node", http.HandlerFunc(checkIn))).Methods("POST")
	r.HandleFunc("/api/nodes/{network}/{macaddress}/creategateway", authorize(true, "master", http.HandlerFunc(createEgressGateway))).Methods("POST")
	r.HandleFunc("/api/nodes/{network}/{macaddress}/deletegateway", authorize(true, "master", http.HandlerFunc(deleteEgressGateway))).Methods("DELETE")
	r.HandleFunc("/api/nodes/{network}/{macaddress}/createingress", securityCheck(false, http.HandlerFunc(createIngressGateway))).Methods("POST")
	r.HandleFunc("/api/nodes/{network}/{macaddress}/deleteingress", securityCheck(false, http.HandlerFunc(deleteIngressGateway))).Methods("DELETE")
	r.HandleFunc("/api/nodes/{network}/{macaddress}/approve", authorize(true, "master", http.HandlerFunc(uncordonNode))).Methods("POST")
	r.HandleFunc("/api/nodes/{network}", createNode).Methods("POST")
	r.HandleFunc("/api/nodes/adm/{network}/lastmodified", authorize(true, "network", http.HandlerFunc(getLastModified))).Methods("GET")
	r.HandleFunc("/api/nodes/adm/{network}/authenticate", authenticate).Methods("POST")

}

//Node authenticates using its password and retrieves a JWT for authorization.
func authenticate(response http.ResponseWriter, request *http.Request) {

	//Auth request consists of Mac Address and Password (from node that is authorizing
	//in case of Master, auth is ignored and mac is set to "mastermac"
	var authRequest models.AuthParams
	var result models.Node
	var errorResponse = models.ErrorResponse{
		Code: http.StatusInternalServerError, Message: "W1R3: It's not you it's me.",
	}

	//Get password fnd mac rom request
	decoder := json.NewDecoder(request.Body)
	decoderErr := decoder.Decode(&authRequest)
	defer request.Body.Close()

	if decoderErr != nil {
		errorResponse.Code = http.StatusBadRequest
		errorResponse.Message = decoderErr.Error()
		returnErrorResponse(response, request, errorResponse)
		return
	} else {
		errorResponse.Code = http.StatusBadRequest
		if authRequest.MacAddress == "" {
			errorResponse.Message = "W1R3: MacAddress can't be empty"
			returnErrorResponse(response, request, errorResponse)
			return
		} else if authRequest.Password == "" {
			errorResponse.Message = "W1R3: Password can't be empty"
			returnErrorResponse(response, request, errorResponse)
			return
		} else {

			//Search DB for node with Mac Address. Ignore pending nodes (they should not be able to authenticate with API untill approved).
			collection := mongoconn.Client.Database("netmaker").Collection("nodes")
			ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
			var err = collection.FindOne(ctx, bson.M{"macaddress": authRequest.MacAddress, "ispending": false}).Decode(&result)

			defer cancel()

			if err != nil {
				errorResponse.Code = http.StatusBadRequest
				errorResponse.Message = err.Error()
				returnErrorResponse(response, request, errorResponse)
				return
			}

			//compare password from request to stored password in database
			//might be able to have a common hash (certificates?) and compare those so that a password isn't passed in in plain text...
			//TODO: Consider a way of hashing the password client side before sending, or using certificates
			err = bcrypt.CompareHashAndPassword([]byte(result.Password), []byte(authRequest.Password))
			if err != nil {
				errorResponse.Code = http.StatusBadRequest
				errorResponse.Message = err.Error()
				returnErrorResponse(response, request, errorResponse)
				return
			} else {
				//Create a new JWT for the node
				tokenString, _ := functions.CreateJWT(authRequest.MacAddress, result.Network)

				if tokenString == "" {
					errorResponse.Code = http.StatusBadRequest
					errorResponse.Message = "Could not create Token"
					returnErrorResponse(response, request, errorResponse)
					return
				}

				var successResponse = models.SuccessResponse{
					Code:    http.StatusOK,
					Message: "W1R3: Device " + authRequest.MacAddress + " Authorized",
					Response: models.SuccessfulLoginResponse{
						AuthToken:  tokenString,
						MacAddress: authRequest.MacAddress,
					},
				}
				//Send back the JWT
				successJSONResponse, jsonError := json.Marshal(successResponse)

				if jsonError != nil {
					errorResponse.Code = http.StatusBadRequest
					errorResponse.Message = err.Error()
					returnErrorResponse(response, request, errorResponse)
					return
				}
				response.WriteHeader(http.StatusOK)
				response.Header().Set("Content-Type", "application/json")
				response.Write(successJSONResponse)
			}
		}
	}
}

//The middleware for most requests to the API
//They all pass  through here first
//This will validate the JWT (or check for master token)
//This will also check against the authNetwork and make sure the node should be accessing that endpoint,
//even if it's technically ok
//This is kind of a poor man's RBAC. There's probably a better/smarter way.
//TODO: Consider better RBAC implementations
func authorize(networkCheck bool, authNetwork string, next http.Handler) http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {

		var errorResponse = models.ErrorResponse{
			Code: http.StatusInternalServerError, Message: "W1R3: It's not you it's me.",
		}

		var params = mux.Vars(r)

		networkexists, _ := functions.NetworkExists(params["network"])

		//check that the request is for a valid network
		//if (networkCheck && !networkexists) || err != nil {
		if networkCheck && !networkexists {
			errorResponse = models.ErrorResponse{
				Code: http.StatusNotFound, Message: "W1R3: This network does not exist. ",
			}
			returnErrorResponse(w, r, errorResponse)
			return

		} else {

			w.Header().Set("Content-Type", "application/json")

			//get the auth token
			bearerToken := r.Header.Get("Authorization")

			var tokenSplit = strings.Split(bearerToken, " ")

			//I put this in in case the user doesn't put in a token at all (in which case it's empty)
			//There's probably a smarter way of handling this.
			var authToken = "928rt238tghgwe@TY@$Y@#WQAEGB2FC#@HG#@$Hddd"

			if len(tokenSplit) > 1 {
				authToken = tokenSplit[1]
			} else {
				errorResponse = models.ErrorResponse{
					Code: http.StatusUnauthorized, Message: "W1R3: Missing Auth Token.",
				}
				returnErrorResponse(w, r, errorResponse)
				return
			}

			//This checks if
			//A: the token is the master password
			//B: the token corresponds to a mac address, and if so, which one
			//TODO: There's probably a better way of dealing with the "master token"/master password. Plz Halp.

			var isAuthorized = false
			var macaddress = ""
			username, networks, isadmin, errN := functions.VerifyUserToken(authToken)
			isnetadmin := isadmin
			if errN == nil && isadmin {
				macaddress = "mastermac"
				isAuthorized = true
			} else {
				mac, _, err := functions.VerifyToken(authToken)
				if err != nil {
					errorResponse = models.ErrorResponse{
						Code: http.StatusUnauthorized, Message: "W1R3: Error Verifying Auth Token.",
					}
					returnErrorResponse(w, r, errorResponse)
					return
				}
				macaddress = mac
			}
			if !isadmin && params["network"] != "" {
				if functions.SliceContains(networks, params["network"]) {
					isnetadmin = true
				}
			}
			//The mastermac (login with masterkey from config) can do everything!! May be dangerous.
			if macaddress == "mastermac" {
				isAuthorized = true

				//for everyone else, there's poor man's RBAC. The "cases" are defined in the routes in the handlers
				//So each route defines which access network should be allowed to access it
			} else {
				switch authNetwork {
				case "all":
					isAuthorized = true
				case "nodes":
					isAuthorized = (macaddress != "") || isnetadmin
				case "network":
					if isnetadmin {
						isAuthorized = true
					} else {
						node, err := functions.GetNodeByMacAddress(params["network"], macaddress)
						if err != nil {
							errorResponse = models.ErrorResponse{
								Code: http.StatusUnauthorized, Message: "W1R3: Missing Auth Token.",
							}
							returnErrorResponse(w, r, errorResponse)
							return
						}
						isAuthorized = (node.Network == params["network"])
					}
				case "node":
					if isnetadmin {
						isAuthorized = true
					} else {
						isAuthorized = (macaddress == params["macaddress"])
					}
				case "master":
					isAuthorized = (macaddress == "mastermac")
				default:
					isAuthorized = false
				}
			}
			if !isAuthorized {
				errorResponse = models.ErrorResponse{
					Code: http.StatusUnauthorized, Message: "W1R3: You are unauthorized to access this endpoint.",
				}
				returnErrorResponse(w, r, errorResponse)
				return
			} else {
				//If authorized, this function passes along it's request and output to the appropriate route function.
				if username == "" {
					username = "(user not found)"
				}
				r.Header.Set("user", username)
				next.ServeHTTP(w, r)
			}
		}
	}
}

//Gets all nodes associated with network, including pending nodes
func getNetworkNodes(w http.ResponseWriter, r *http.Request) {

	w.Header().Set("Content-Type", "application/json")

	var nodes []models.Node
	var params = mux.Vars(r)
	networkName := params["network"]
	nodes, err := GetNetworkNodes(networkName)
	if err != nil {
		returnErrorResponse(w, r, formatError(err, "internal"))
		return
	}

	//Returns all the nodes in JSON format
	functions.PrintUserLog(r.Header.Get("user"), "fetched nodes on network"+networkName, 2)
	w.WriteHeader(http.StatusOK)
	json.NewEncoder(w).Encode(nodes)
}

func GetNetworkNodes(network string) ([]models.Node, error) {
	var nodes []models.Node
	collection := mongoconn.Client.Database("netmaker").Collection("nodes")
	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
	filter := bson.M{"network": network}
	//Filtering out the ID field cuz Dillon doesn't like it. May want to filter out other fields in the future
	cur, err := collection.Find(ctx, filter, options.Find().SetProjection(bson.M{"_id": 0}))
	if err != nil {
		return []models.Node{}, err
	}
	defer cancel()
	for cur.Next(context.TODO()) {
		//Using a different model for the Node (other than regular node).
		//Either we should do this for ALL structs (so Networks and Keys)
		//OR we should just use the original struct
		//My preference is to make some new return structs
		//TODO: Think about this. Not an immediate concern. Just need to get some consistency eventually
		var node models.Node
		err := cur.Decode(&node)
		if err != nil {
			return []models.Node{}, err
		}
		// add item our array of nodes
		nodes = append(nodes, node)
	}
	//TODO: Another fatal error we should take care of.
	if err := cur.Err(); err != nil {
		return []models.Node{}, err
	}
	return nodes, nil
}

//A separate function to get all nodes, not just nodes for a particular network.
//Not quite sure if this is necessary. Probably necessary based on front end but may want to review after iteration 1 if it's being used or not
func getAllNodes(w http.ResponseWriter, r *http.Request) {
	w.Header().Set("Content-Type", "application/json")
	nodes, err := functions.GetAllNodes()
	if err != nil {
		returnErrorResponse(w, r, formatError(err, "internal"))
		return
	}
	//Return all the nodes in JSON format
	functions.PrintUserLog(r.Header.Get("user"), "fetched nodes", 2)
	w.WriteHeader(http.StatusOK)
	json.NewEncoder(w).Encode(nodes)
}

//This function get's called when a node "checks in" at check in interval
//Honestly I'm not sure what all it should be doing
//TODO: Implement the necessary stuff, including the below
//Check the last modified of the network
//Check the last modified of the nodes
//Write functions for responding to these two thingies
func checkIn(w http.ResponseWriter, r *http.Request) {

	//TODO: Current thoughts:
	//Dont bother with a networklastmodified
	//Instead, implement a "configupdate" boolean on nodes
	//when there is a network update  that requrires  a config update,  then the node will pull its new config

	// set header.
	w.Header().Set("Content-Type", "application/json")

	var params = mux.Vars(r)
	node, err := CheckIn(params["network"], params["macaddress"])
	if err != nil {
		returnErrorResponse(w, r, formatError(err, "internal"))
		return
	}
	w.WriteHeader(http.StatusOK)
	json.NewEncoder(w).Encode(node)
}
func CheckIn(network, macaddress string) (models.Node, error) {
	var node models.Node

	//Retrieves node with DB Call which is inefficient. Let's just get the time and set it.
	//node = functions.GetNodeByMacAddress(params["network"], params["macaddress"])
	collection := mongoconn.Client.Database("netmaker").Collection("nodes")
	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
	filter := bson.M{"macaddress": macaddress, "network": network}
	//old code was inefficient, this is all we need.
	time := time.Now().Unix()
	//node.SetLastCheckIn()
	// prepare update model with new time
	update := bson.D{
		{"$set", bson.D{
			{"lastcheckin", time},
		}},
	}
	err := collection.FindOneAndUpdate(ctx, filter, update).Decode(&node)
	defer cancel()
	if err != nil {
		return models.Node{}, err
	}
	//TODO: check node last modified vs network last modified
	//Get Updated node to return
	node, err = GetNode(macaddress, network)
	if err != nil {
		return models.Node{}, err
	}
	return node, nil
}

//Get an individual node. Nothin fancy here folks.
func getNode(w http.ResponseWriter, r *http.Request) {
	// set header.
	w.Header().Set("Content-Type", "application/json")

	var params = mux.Vars(r)

	node, err := GetNode(params["macaddress"], params["network"])
	if err != nil {
		returnErrorResponse(w, r, formatError(err, "internal"))
		return
	}
	functions.PrintUserLog(r.Header.Get("user"), "fetched node "+params["macaddress"], 2)
	w.WriteHeader(http.StatusOK)
	json.NewEncoder(w).Encode(node)
}

//Get the time that a network of nodes was last modified.
//TODO: This needs to be refactored
//Potential way to do this: On UpdateNode, set a new field for "LastModified"
//If we go with the existing way, we need to at least set network.NodesLastModified on UpdateNode
func getLastModified(w http.ResponseWriter, r *http.Request) {
	// set header.
	w.Header().Set("Content-Type", "application/json")

	var params = mux.Vars(r)
	network, err := GetLastModified(params["network"])
	if err != nil {
		returnErrorResponse(w, r, formatError(err, "internal"))
		return
	}
	functions.PrintUserLog(r.Header.Get("user"), "called last modified", 2)
	w.WriteHeader(http.StatusOK)
	json.NewEncoder(w).Encode(network.NodesLastModified)
}

func GetLastModified(network string) (models.Network, error) {
	var net models.Network
	collection := mongoconn.Client.Database("netmaker").Collection("networks")
	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
	filter := bson.M{"netid": network}
	err := collection.FindOne(ctx, filter).Decode(&net)
	defer cancel()
	if err != nil {
		fmt.Println(err)
		return models.Network{}, err
	}
	return net, nil
}

//This one's a doozy
//To create a node
//Must have valid key and be unique
func createNode(w http.ResponseWriter, r *http.Request) {
	w.Header().Set("Content-Type", "application/json")

	var params = mux.Vars(r)

	var errorResponse = models.ErrorResponse{
		Code: http.StatusInternalServerError, Message: "W1R3: It's not you it's me.",
	}

	networkName := params["network"]

	//Check if network exists  first
	//TODO: This is inefficient. Let's find a better way.
	//Just a few rows down we grab the network anyway
	networkexists, err := functions.NetworkExists(networkName)

	if err != nil {
		returnErrorResponse(w, r, formatError(err, "internal"))
		return
	} else if !networkexists {
		errorResponse = models.ErrorResponse{
			Code: http.StatusNotFound, Message: "W1R3: Network does not exist! ",
		}
		returnErrorResponse(w, r, errorResponse)
		return
	}

	var node models.Node

	//get node from body of request
	err = json.NewDecoder(r.Body).Decode(&node)
	if err != nil {
		returnErrorResponse(w, r, formatError(err, "internal"))
		return
	}

	node.Network = networkName

	network, err := node.GetNetwork()
	if err != nil {
		returnErrorResponse(w, r, formatError(err, "internal"))
		return
	}

	//Check to see if key is valid
	//TODO: Triple inefficient!!! This is the third call to the DB we make for networks
	validKey := functions.IsKeyValid(networkName, node.AccessKey)

	if !validKey {
		//Check to see if network will allow manual sign up
		//may want to switch this up with the valid key check and avoid a DB call that way.
		if *network.AllowManualSignUp {
			node.IsPending = true
		} else {
			errorResponse = models.ErrorResponse{
				Code: http.StatusUnauthorized, Message: "W1R3: Key invalid, or none provided.",
			}
			returnErrorResponse(w, r, errorResponse)
			return
		}
	}

	err = ValidateNodeCreate(networkName, node)
	if err != nil {
		returnErrorResponse(w, r, formatError(err, "badrequest"))
		return
	}

	node, err = CreateNode(node, networkName)
	if err != nil {
		returnErrorResponse(w, r, formatError(err, "internal"))
		return
	}
	functions.PrintUserLog(r.Header.Get("user"), "created new node "+node.Name+" on network "+node.Network, 1)
	w.WriteHeader(http.StatusOK)
	json.NewEncoder(w).Encode(node)
}

//Takes node out of pending state
//TODO: May want to use cordon/uncordon terminology instead of "ispending".
func uncordonNode(w http.ResponseWriter, r *http.Request) {
	var params = mux.Vars(r)
	w.Header().Set("Content-Type", "application/json")
	node, err := UncordonNode(params["network"], params["macaddress"])
	if err != nil {
		returnErrorResponse(w, r, formatError(err, "internal"))
		return
	}
	functions.PrintUserLog(r.Header.Get("user"), "uncordoned node "+node.Name, 1)
	w.WriteHeader(http.StatusOK)
	json.NewEncoder(w).Encode("SUCCESS")
}

func UncordonNode(network, macaddress string) (models.Node, error) {
	node, err := functions.GetNodeByMacAddress(network, macaddress)
	if err != nil {
		return models.Node{}, err
	}
	collection := mongoconn.Client.Database("netmaker").Collection("nodes")
	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
	// Create filter
	filter := bson.M{"macaddress": macaddress, "network": network}
	node.SetLastModified()
	fmt.Println("Uncordoning node " + node.Name)
	// prepare update model.
	update := bson.D{
		{"$set", bson.D{
			{"ispending", false},
		}},
	}
	err = collection.FindOneAndUpdate(ctx, filter, update).Decode(&node)
	defer cancel()
	if err != nil {
		return models.Node{}, err
	}
	return node, nil
}

func createEgressGateway(w http.ResponseWriter, r *http.Request) {
	var gateway models.EgressGatewayRequest
	var params = mux.Vars(r)
	w.Header().Set("Content-Type", "application/json")
	err := json.NewDecoder(r.Body).Decode(&gateway)
	if err != nil {
		returnErrorResponse(w, r, formatError(err, "internal"))
		return
	}
	gateway.NetID = params["network"]
	gateway.NodeID = params["macaddress"]
	node, err := CreateEgressGateway(gateway)
	if err != nil {
		returnErrorResponse(w, r, formatError(err, "internal"))
		return
	}
	functions.PrintUserLog(r.Header.Get("user"), "created egress gateway on node "+gateway.NodeID+" on network "+gateway.NetID, 1)
	w.WriteHeader(http.StatusOK)
	json.NewEncoder(w).Encode(node)
}

func CreateEgressGateway(gateway models.EgressGatewayRequest) (models.Node, error) {
	node, err := functions.GetNodeByMacAddress(gateway.NetID, gateway.NodeID)
	if err != nil {
		return models.Node{}, err
	}
	err = ValidateEgressGateway(gateway)
	if err != nil {
		return models.Node{}, err
	}
	var nodechange models.Node
	nodechange.IsEgressGateway = true
	nodechange.EgressGatewayRanges = gateway.Ranges
	nodechange.PostUp = "iptables -A FORWARD -i " + node.Interface + " -j ACCEPT; iptables -t nat -A POSTROUTING -o " + gateway.Interface + " -j MASQUERADE"
	nodechange.PostDown = "iptables -D FORWARD -i " + node.Interface + " -j ACCEPT; iptables -t nat -D POSTROUTING -o " + gateway.Interface + " -j MASQUERADE"
	if gateway.PostUp != "" {
		nodechange.PostUp = gateway.PostUp
	}
	if gateway.PostDown != "" {
		nodechange.PostDown = gateway.PostDown
	}
	if node.PostUp != "" {
		if !strings.Contains(node.PostUp, nodechange.PostUp) {
			nodechange.PostUp = node.PostUp + "; " + nodechange.PostUp
		} else {
			nodechange.PostUp = node.PostUp
		}
	}
	if node.PostDown != "" {
		if !strings.Contains(node.PostDown, nodechange.PostDown) {
			nodechange.PostDown = node.PostDown + "; " + nodechange.PostDown
		} else {
			nodechange.PostDown = node.PostDown
		}
	}
	collection := mongoconn.Client.Database("netmaker").Collection("nodes")
	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
	// Create filter
	filter := bson.M{"macaddress": gateway.NodeID, "network": gateway.NetID}
	nodechange.SetLastModified()
	// prepare update model.
	update := bson.D{
		{"$set", bson.D{
			{"postup", nodechange.PostUp},
			{"postdown", nodechange.PostDown},
			{"isegressgateway", nodechange.IsEgressGateway},
			{"egressgatewayranges", nodechange.EgressGatewayRanges},
			{"lastmodified", nodechange.LastModified},
		}},
	}
	var nodeupdate models.Node
	err = collection.FindOneAndUpdate(ctx, filter, update).Decode(&nodeupdate)
	defer cancel()
	if err != nil {
		return models.Node{}, err
	}
	err = SetNetworkNodesLastModified(gateway.NetID)
	if err != nil {
		return models.Node{}, err
	}
	//Get updated values to return
	node, err = functions.GetNodeByMacAddress(gateway.NetID, gateway.NodeID)
	if err != nil {
		return models.Node{}, err
	}
	return node, nil
}

func ValidateEgressGateway(gateway models.EgressGatewayRequest) error {
	var err error
	//isIp := functions.IsIpCIDR(gateway.RangeString)
	empty := len(gateway.Ranges) == 0
	if empty {
		err = errors.New("IP Ranges Cannot Be Empty")
	}
	empty = gateway.Interface == ""
	if empty {
		err = errors.New("Interface cannot be empty")
	}
	return err
}

func deleteEgressGateway(w http.ResponseWriter, r *http.Request) {
	w.Header().Set("Content-Type", "application/json")
	var params = mux.Vars(r)
	nodeMac := params["macaddress"]
	netid := params["network"]
	node, err := DeleteEgressGateway(netid, nodeMac)
	if err != nil {
		returnErrorResponse(w, r, formatError(err, "internal"))
		return
	}
	functions.PrintUserLog(r.Header.Get("user"), "delete egress gateway "+nodeMac+" on network "+netid, 1)
	w.WriteHeader(http.StatusOK)
	json.NewEncoder(w).Encode(node)
}

func DeleteEgressGateway(network, macaddress string) (models.Node, error) {

	var nodeupdate models.Node
	var nodechange models.Node
	node, err := functions.GetNodeByMacAddress(network, macaddress)
	if err != nil {
		return models.Node{}, err
	}

	nodechange.IsEgressGateway = false
	nodechange.EgressGatewayRanges = []string{}
	nodechange.PostUp = ""
	nodechange.PostDown = ""

	collection := mongoconn.Client.Database("netmaker").Collection("nodes")
	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
	// Create filter
	filter := bson.M{"macaddress": macaddress, "network": network}
	nodechange.SetLastModified()
	// prepare update model.
	update := bson.D{
		{"$set", bson.D{
			{"postup", nodechange.PostUp},
			{"postdown", nodechange.PostDown},
			{"isegressgateway", nodechange.IsEgressGateway},
			{"egressgatewayranges", nodechange.EgressGatewayRanges},
			{"lastmodified", nodechange.LastModified},
		}},
	}
	err = collection.FindOneAndUpdate(ctx, filter, update).Decode(&nodeupdate)
	defer cancel()
	if err != nil {
		return models.Node{}, err
	}
	err = SetNetworkNodesLastModified(network)
	if err != nil {
		return models.Node{}, err
	}
	//Get updated values to return
	node, err = functions.GetNodeByMacAddress(network, macaddress)
	if err != nil {
		return models.Node{}, err
	}
	return node, nil
}

// == INGRESS ==
func createIngressGateway(w http.ResponseWriter, r *http.Request) {
	var params = mux.Vars(r)
	w.Header().Set("Content-Type", "application/json")
	nodeMac := params["macaddress"]
	netid := params["network"]
	node, err := CreateIngressGateway(netid, nodeMac)
	if err != nil {
		returnErrorResponse(w, r, formatError(err, "internal"))
		return
	}
	functions.PrintUserLog(r.Header.Get("user"), "created ingress gateway on node "+nodeMac+" on network "+netid, 1)
	w.WriteHeader(http.StatusOK)
	json.NewEncoder(w).Encode(node)
}

func CreateIngressGateway(netid string, macaddress string) (models.Node, error) {

	node, err := functions.GetNodeByMacAddress(netid, macaddress)
	if err != nil {
		return models.Node{}, err
	}

	network, err := functions.GetParentNetwork(netid)
	if err != nil {
		log.Println("Could not find network.")
		return models.Node{}, err
	}
	var nodechange models.Node
	nodechange.IngressGatewayRange = network.AddressRange
	nodechange.PostUp = "iptables -A FORWARD -i " + node.Interface + " -j ACCEPT; iptables -t nat -A POSTROUTING -o " + node.Interface + " -j MASQUERADE"
	nodechange.PostDown = "iptables -D FORWARD -i " + node.Interface + " -j ACCEPT; iptables -t nat -D POSTROUTING -o " + node.Interface + " -j MASQUERADE"
	if node.PostUp != "" {
		if !strings.Contains(node.PostUp, nodechange.PostUp) {
			nodechange.PostUp = node.PostUp + "; " + nodechange.PostUp
		} else {
			nodechange.PostUp = node.PostUp
		}
	}
	if node.PostDown != "" {
		if !strings.Contains(node.PostDown, nodechange.PostDown) {
			nodechange.PostDown = node.PostDown + "; " + nodechange.PostDown
		} else {
			nodechange.PostDown = node.PostDown
		}
	}

	collection := mongoconn.Client.Database("netmaker").Collection("nodes")
	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
	// Create filter
	filter := bson.M{"macaddress": macaddress, "network": netid}
	node.SetLastModified()
	// prepare update model.
	update := bson.D{
		{"$set", bson.D{
			{"postup", nodechange.PostUp},
			{"postdown", nodechange.PostDown},
			{"isingressgateway", true},
			{"ingressgatewayrange", nodechange.IngressGatewayRange},
			{"lastmodified", node.LastModified},
		}},
	}
	var nodeupdate models.Node
	err = collection.FindOneAndUpdate(ctx, filter, update).Decode(&nodeupdate)
	defer cancel()
	if err != nil {
		log.Println("error updating node to gateway")
		return models.Node{}, err
	}
	err = SetNetworkNodesLastModified(netid)
	if err != nil {
		return node, err
	}
	//Get updated values to return
	node, err = functions.GetNodeByMacAddress(netid, macaddress)
	if err != nil {
		log.Println("error finding node after update")
		return node, err
	}
	return node, nil
}

func deleteIngressGateway(w http.ResponseWriter, r *http.Request) {
	w.Header().Set("Content-Type", "application/json")
	var params = mux.Vars(r)
	nodeMac := params["macaddress"]
	node, err := DeleteIngressGateway(params["network"], nodeMac)
	if err != nil {
		returnErrorResponse(w, r, formatError(err, "internal"))
		return
	}
	functions.PrintUserLog(r.Header.Get("user"), "deleted ingress gateway"+nodeMac, 1)
	w.WriteHeader(http.StatusOK)
	json.NewEncoder(w).Encode(node)
}

func DeleteIngressGateway(network, macaddress string) (models.Node, error) {

	var nodeupdate models.Node
	node, err := functions.GetNodeByMacAddress(network, macaddress)
	if err != nil {
		return models.Node{}, err
	}

	collection := mongoconn.Client.Database("netmaker").Collection("nodes")
	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
	// Create filter
	filter := bson.M{"macaddress": macaddress, "network": network}
	// prepare update model.
	update := bson.D{
		{"$set", bson.D{
			{"lastmodified", time.Now().Unix()},
			{"isingressgateway", false},
		}},
	}
	err = collection.FindOneAndUpdate(ctx, filter, update).Decode(&nodeupdate)
	defer cancel()
	if err != nil {
		return models.Node{}, err
	}
	err = SetNetworkNodesLastModified(network)
	if err != nil {
		return models.Node{}, err
	}
	//Get updated values to return
	node, err = functions.GetNodeByMacAddress(network, macaddress)
	if err != nil {
		return models.Node{}, err
	}
	return node, nil
}

func updateNode(w http.ResponseWriter, r *http.Request) {
	w.Header().Set("Content-Type", "application/json")

	var params = mux.Vars(r)

	//Get id from parameters
	//id, _ := primitive.ObjectIDFromHex(params["id"])

	var node models.Node

	//start here
	node, err := functions.GetNodeByMacAddress(params["network"], params["macaddress"])
	if err != nil {
		returnErrorResponse(w, r, formatError(err, "internal"))
		return
	}

	var nodechange models.NodeUpdate

	// we decode our body request params
	_ = json.NewDecoder(r.Body).Decode(&nodechange)
	if nodechange.Network == "" {
		nodechange.Network = node.Network
	}
	if nodechange.MacAddress == "" {
		nodechange.MacAddress = node.MacAddress
	}
	err = ValidateNodeUpdate(params["network"], nodechange)
	if err != nil {
		returnErrorResponse(w, r, formatError(err, "badrequest"))
		return
	}

	node, err = UpdateNode(nodechange, node)
	if err != nil {
		returnErrorResponse(w, r, formatError(err, "internal"))
		return
	}
	w.WriteHeader(http.StatusOK)
	json.NewEncoder(w).Encode(node)
}

//Delete a node
//Pretty straightforward
func deleteNode(w http.ResponseWriter, r *http.Request) {
	// Set header
	w.Header().Set("Content-Type", "application/json")

	// get params
	var params = mux.Vars(r)

	success, err := DeleteNode(params["macaddress"], params["network"])

	if err != nil {
		returnErrorResponse(w, r, formatError(err, "internal"))
		return
	} else if !success {
		err = errors.New("Could not delete node " + params["macaddress"])
		returnErrorResponse(w, r, formatError(err, "internal"))
		return
	}
	returnSuccessResponse(w, r, params["macaddress"]+" deleted.")
}