user_mgmt.go 37 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299
  1. package logic
  2. import (
  3. "encoding/json"
  4. "errors"
  5. "fmt"
  6. "time"
  7. "github.com/gravitl/netmaker/database"
  8. "github.com/gravitl/netmaker/logger"
  9. "github.com/gravitl/netmaker/logic"
  10. "github.com/gravitl/netmaker/models"
  11. "github.com/gravitl/netmaker/mq"
  12. "github.com/gravitl/netmaker/servercfg"
  13. "golang.org/x/exp/slog"
  14. )
  15. var ServiceUserPermissionTemplate = models.UserRolePermissionTemplate{
  16. ID: models.ServiceUser,
  17. Default: true,
  18. FullAccess: false,
  19. DenyDashboardAccess: true,
  20. }
  21. var PlatformUserUserPermissionTemplate = models.UserRolePermissionTemplate{
  22. ID: models.PlatformUser,
  23. Default: true,
  24. FullAccess: false,
  25. }
  26. var NetworkAdminAllPermissionTemplate = models.UserRolePermissionTemplate{
  27. ID: models.UserRoleID(fmt.Sprintf("global-%s", models.NetworkAdmin)),
  28. Name: "Network Admins",
  29. MetaData: "can manage configuration of all networks",
  30. Default: true,
  31. FullAccess: true,
  32. NetworkID: models.AllNetworks,
  33. }
  34. var NetworkUserAllPermissionTemplate = models.UserRolePermissionTemplate{
  35. ID: models.UserRoleID(fmt.Sprintf("global-%s", models.NetworkUser)),
  36. Name: "Network Users",
  37. MetaData: "Can connect to nodes in your networks via Remote Access Client.",
  38. Default: true,
  39. FullAccess: false,
  40. NetworkID: models.AllNetworks,
  41. NetworkLevelAccess: map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope{
  42. models.RemoteAccessGwRsrc: {
  43. models.AllRemoteAccessGwRsrcID: models.RsrcPermissionScope{
  44. Read: true,
  45. VPNaccess: true,
  46. },
  47. },
  48. models.ExtClientsRsrc: {
  49. models.AllExtClientsRsrcID: models.RsrcPermissionScope{
  50. Read: true,
  51. Create: true,
  52. Update: true,
  53. Delete: true,
  54. SelfOnly: true,
  55. },
  56. },
  57. models.DnsRsrc: {
  58. models.AllDnsRsrcID: models.RsrcPermissionScope{
  59. Read: true,
  60. },
  61. },
  62. models.AclRsrc: {
  63. models.AllAclsRsrcID: models.RsrcPermissionScope{
  64. Read: true,
  65. },
  66. },
  67. models.EgressGwRsrc: {
  68. models.AllEgressGwRsrcID: models.RsrcPermissionScope{
  69. Read: true,
  70. },
  71. },
  72. models.InetGwRsrc: {
  73. models.AllInetGwRsrcID: models.RsrcPermissionScope{
  74. Read: true,
  75. },
  76. },
  77. models.RelayRsrc: {
  78. models.AllRelayRsrcID: models.RsrcPermissionScope{
  79. Read: true,
  80. },
  81. },
  82. models.TagRsrc: {
  83. models.AllTagsRsrcID: models.RsrcPermissionScope{
  84. Read: true,
  85. },
  86. },
  87. },
  88. }
  89. func UserRolesInit() {
  90. d, _ := json.Marshal(logic.SuperAdminPermissionTemplate)
  91. database.Insert(logic.SuperAdminPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME)
  92. d, _ = json.Marshal(logic.AdminPermissionTemplate)
  93. database.Insert(logic.AdminPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME)
  94. d, _ = json.Marshal(ServiceUserPermissionTemplate)
  95. database.Insert(ServiceUserPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME)
  96. d, _ = json.Marshal(PlatformUserUserPermissionTemplate)
  97. database.Insert(PlatformUserUserPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME)
  98. d, _ = json.Marshal(NetworkAdminAllPermissionTemplate)
  99. database.Insert(NetworkAdminAllPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME)
  100. d, _ = json.Marshal(NetworkUserAllPermissionTemplate)
  101. database.Insert(NetworkUserAllPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME)
  102. }
  103. func UserGroupsInit() {
  104. // create default network groups
  105. var NetworkGlobalAdminGroup = models.UserGroup{
  106. ID: models.UserGroupID(fmt.Sprintf("global-%s-grp", models.NetworkAdmin)),
  107. Default: true,
  108. Name: "All Networks Admin Group",
  109. MetaData: "can manage configuration of all networks",
  110. NetworkRoles: map[models.NetworkID]map[models.UserRoleID]struct{}{
  111. models.AllNetworks: {
  112. models.UserRoleID(fmt.Sprintf("global-%s", models.NetworkAdmin)): {},
  113. },
  114. },
  115. }
  116. var NetworkGlobalUserGroup = models.UserGroup{
  117. ID: models.UserGroupID(fmt.Sprintf("global-%s-grp", models.NetworkUser)),
  118. Name: "All Networks User Group",
  119. Default: true,
  120. NetworkRoles: map[models.NetworkID]map[models.UserRoleID]struct{}{
  121. models.NetworkID(models.AllNetworks): {
  122. models.UserRoleID(fmt.Sprintf("global-%s", models.NetworkUser)): {},
  123. },
  124. },
  125. MetaData: "Provides read-only dashboard access to platform users and allows connection to network nodes via the Remote Access Client.",
  126. }
  127. d, _ := json.Marshal(NetworkGlobalAdminGroup)
  128. database.Insert(NetworkGlobalAdminGroup.ID.String(), string(d), database.USER_GROUPS_TABLE_NAME)
  129. d, _ = json.Marshal(NetworkGlobalUserGroup)
  130. database.Insert(NetworkGlobalUserGroup.ID.String(), string(d), database.USER_GROUPS_TABLE_NAME)
  131. }
  132. func CreateDefaultNetworkRolesAndGroups(netID models.NetworkID) {
  133. if netID.String() == "" {
  134. return
  135. }
  136. var NetworkAdminPermissionTemplate = models.UserRolePermissionTemplate{
  137. ID: models.UserRoleID(fmt.Sprintf("%s-%s", netID, models.NetworkAdmin)),
  138. Name: fmt.Sprintf("%s Admin", netID),
  139. MetaData: fmt.Sprintf("can manage your network `%s` configuration.", netID),
  140. Default: true,
  141. NetworkID: netID,
  142. FullAccess: true,
  143. NetworkLevelAccess: make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope),
  144. }
  145. var NetworkUserPermissionTemplate = models.UserRolePermissionTemplate{
  146. ID: models.UserRoleID(fmt.Sprintf("%s-%s", netID, models.NetworkUser)),
  147. Name: fmt.Sprintf("%s User", netID),
  148. MetaData: fmt.Sprintf("Can connect to nodes in your network `%s` via Remote Access Client.", netID),
  149. Default: true,
  150. FullAccess: false,
  151. NetworkID: netID,
  152. DenyDashboardAccess: false,
  153. NetworkLevelAccess: map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope{
  154. models.RemoteAccessGwRsrc: {
  155. models.AllRemoteAccessGwRsrcID: models.RsrcPermissionScope{
  156. Read: true,
  157. VPNaccess: true,
  158. },
  159. },
  160. models.ExtClientsRsrc: {
  161. models.AllExtClientsRsrcID: models.RsrcPermissionScope{
  162. Read: true,
  163. Create: true,
  164. Update: true,
  165. Delete: true,
  166. SelfOnly: true,
  167. },
  168. },
  169. models.DnsRsrc: {
  170. models.AllDnsRsrcID: models.RsrcPermissionScope{
  171. Read: true,
  172. },
  173. },
  174. models.AclRsrc: {
  175. models.AllAclsRsrcID: models.RsrcPermissionScope{
  176. Read: true,
  177. },
  178. },
  179. models.EgressGwRsrc: {
  180. models.AllEgressGwRsrcID: models.RsrcPermissionScope{
  181. Read: true,
  182. },
  183. },
  184. models.InetGwRsrc: {
  185. models.AllInetGwRsrcID: models.RsrcPermissionScope{
  186. Read: true,
  187. },
  188. },
  189. models.RelayRsrc: {
  190. models.AllRelayRsrcID: models.RsrcPermissionScope{
  191. Read: true,
  192. },
  193. },
  194. models.TagRsrc: {
  195. models.AllTagsRsrcID: models.RsrcPermissionScope{
  196. Read: true,
  197. },
  198. },
  199. },
  200. }
  201. d, _ := json.Marshal(NetworkAdminPermissionTemplate)
  202. database.Insert(NetworkAdminPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME)
  203. d, _ = json.Marshal(NetworkUserPermissionTemplate)
  204. database.Insert(NetworkUserPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME)
  205. // create default network groups
  206. var NetworkAdminGroup = models.UserGroup{
  207. ID: models.UserGroupID(fmt.Sprintf("%s-%s-grp", netID, models.NetworkAdmin)),
  208. Name: fmt.Sprintf("%s Admin Group", netID),
  209. NetworkRoles: map[models.NetworkID]map[models.UserRoleID]struct{}{
  210. netID: {
  211. models.UserRoleID(fmt.Sprintf("%s-%s", netID, models.NetworkAdmin)): {},
  212. },
  213. },
  214. MetaData: fmt.Sprintf("can manage your network `%s` configuration including adding and removing devices.", netID),
  215. }
  216. var NetworkUserGroup = models.UserGroup{
  217. ID: models.UserGroupID(fmt.Sprintf("%s-%s-grp", netID, models.NetworkUser)),
  218. Name: fmt.Sprintf("%s User Group", netID),
  219. NetworkRoles: map[models.NetworkID]map[models.UserRoleID]struct{}{
  220. netID: {
  221. models.UserRoleID(fmt.Sprintf("%s-%s", netID, models.NetworkUser)): {},
  222. },
  223. },
  224. MetaData: fmt.Sprintf("Can connect to nodes in your network `%s` via Remote Access Client. Platform users will have read-only access to the the dashboard.", netID),
  225. }
  226. d, _ = json.Marshal(NetworkAdminGroup)
  227. database.Insert(NetworkAdminGroup.ID.String(), string(d), database.USER_GROUPS_TABLE_NAME)
  228. d, _ = json.Marshal(NetworkUserGroup)
  229. database.Insert(NetworkUserGroup.ID.String(), string(d), database.USER_GROUPS_TABLE_NAME)
  230. }
  231. func DeleteNetworkRoles(netID string) {
  232. users, err := logic.GetUsersDB()
  233. if err != nil {
  234. return
  235. }
  236. defaultUserGrp := fmt.Sprintf("%s-%s-grp", netID, models.NetworkUser)
  237. defaultAdminGrp := fmt.Sprintf("%s-%s-grp", netID, models.NetworkAdmin)
  238. for _, user := range users {
  239. var upsert bool
  240. if _, ok := user.NetworkRoles[models.NetworkID(netID)]; ok {
  241. delete(user.NetworkRoles, models.NetworkID(netID))
  242. upsert = true
  243. }
  244. if _, ok := user.UserGroups[models.UserGroupID(defaultUserGrp)]; ok {
  245. delete(user.UserGroups, models.UserGroupID(defaultUserGrp))
  246. upsert = true
  247. }
  248. if _, ok := user.UserGroups[models.UserGroupID(defaultAdminGrp)]; ok {
  249. delete(user.UserGroups, models.UserGroupID(defaultAdminGrp))
  250. upsert = true
  251. }
  252. if upsert {
  253. logic.UpsertUser(user)
  254. }
  255. }
  256. database.DeleteRecord(database.USER_GROUPS_TABLE_NAME, defaultUserGrp)
  257. database.DeleteRecord(database.USER_GROUPS_TABLE_NAME, defaultAdminGrp)
  258. userGs, _ := ListUserGroups()
  259. for _, userGI := range userGs {
  260. if _, ok := userGI.NetworkRoles[models.NetworkID(netID)]; ok {
  261. delete(userGI.NetworkRoles, models.NetworkID(netID))
  262. UpdateUserGroup(userGI)
  263. }
  264. }
  265. roles, _ := ListNetworkRoles()
  266. for _, role := range roles {
  267. if role.NetworkID.String() == netID {
  268. database.DeleteRecord(database.USER_PERMISSIONS_TABLE_NAME, role.ID.String())
  269. }
  270. }
  271. }
  272. // ListNetworkRoles - lists user network roles permission templates
  273. func ListNetworkRoles() ([]models.UserRolePermissionTemplate, error) {
  274. data, err := database.FetchRecords(database.USER_PERMISSIONS_TABLE_NAME)
  275. if err != nil && !database.IsEmptyRecord(err) {
  276. return []models.UserRolePermissionTemplate{}, err
  277. }
  278. userRoles := []models.UserRolePermissionTemplate{}
  279. for _, dataI := range data {
  280. userRole := models.UserRolePermissionTemplate{}
  281. err := json.Unmarshal([]byte(dataI), &userRole)
  282. if err != nil {
  283. continue
  284. }
  285. if userRole.NetworkID == "" {
  286. continue
  287. }
  288. userRoles = append(userRoles, userRole)
  289. }
  290. return userRoles, nil
  291. }
  292. func ValidateCreateRoleReq(userRole *models.UserRolePermissionTemplate) error {
  293. // check if role exists with this id
  294. _, err := logic.GetRole(userRole.ID)
  295. if err == nil {
  296. return fmt.Errorf("role with id `%s` exists already", userRole.ID.String())
  297. }
  298. if len(userRole.NetworkLevelAccess) > 0 {
  299. for rsrcType := range userRole.NetworkLevelAccess {
  300. if _, ok := models.RsrcTypeMap[rsrcType]; !ok {
  301. return errors.New("invalid rsrc type " + rsrcType.String())
  302. }
  303. if rsrcType == models.RemoteAccessGwRsrc {
  304. userRsrcPermissions := userRole.NetworkLevelAccess[models.RemoteAccessGwRsrc]
  305. var vpnAccess bool
  306. for _, scope := range userRsrcPermissions {
  307. if scope.VPNaccess {
  308. vpnAccess = true
  309. break
  310. }
  311. }
  312. if vpnAccess {
  313. userRole.NetworkLevelAccess[models.ExtClientsRsrc] = map[models.RsrcID]models.RsrcPermissionScope{
  314. models.AllExtClientsRsrcID: {
  315. Read: true,
  316. Create: true,
  317. Update: true,
  318. Delete: true,
  319. SelfOnly: true,
  320. },
  321. }
  322. }
  323. }
  324. }
  325. }
  326. if userRole.NetworkID == "" {
  327. return errors.New("only network roles are allowed to be created")
  328. }
  329. return nil
  330. }
  331. func ValidateUpdateRoleReq(userRole *models.UserRolePermissionTemplate) error {
  332. roleInDB, err := logic.GetRole(userRole.ID)
  333. if err != nil {
  334. return err
  335. }
  336. if roleInDB.NetworkID != userRole.NetworkID {
  337. return errors.New("network id mismatch")
  338. }
  339. if roleInDB.Default {
  340. return errors.New("cannot update default role")
  341. }
  342. if len(userRole.NetworkLevelAccess) > 0 {
  343. for rsrcType := range userRole.NetworkLevelAccess {
  344. if _, ok := models.RsrcTypeMap[rsrcType]; !ok {
  345. return errors.New("invalid rsrc type " + rsrcType.String())
  346. }
  347. if rsrcType == models.RemoteAccessGwRsrc {
  348. userRsrcPermissions := userRole.NetworkLevelAccess[models.RemoteAccessGwRsrc]
  349. var vpnAccess bool
  350. for _, scope := range userRsrcPermissions {
  351. if scope.VPNaccess {
  352. vpnAccess = true
  353. break
  354. }
  355. }
  356. if vpnAccess {
  357. userRole.NetworkLevelAccess[models.ExtClientsRsrc] = map[models.RsrcID]models.RsrcPermissionScope{
  358. models.AllExtClientsRsrcID: {
  359. Read: true,
  360. Create: true,
  361. Update: true,
  362. Delete: true,
  363. SelfOnly: true,
  364. },
  365. }
  366. }
  367. }
  368. }
  369. }
  370. return nil
  371. }
  372. // CreateRole - inserts new role into DB
  373. func CreateRole(r models.UserRolePermissionTemplate) error {
  374. // check if role already exists
  375. if r.ID.String() == "" {
  376. return errors.New("role id cannot be empty")
  377. }
  378. _, err := database.FetchRecord(database.USER_PERMISSIONS_TABLE_NAME, r.ID.String())
  379. if err == nil {
  380. return errors.New("role already exists")
  381. }
  382. d, err := json.Marshal(r)
  383. if err != nil {
  384. return err
  385. }
  386. return database.Insert(r.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME)
  387. }
  388. // UpdateRole - updates role template
  389. func UpdateRole(r models.UserRolePermissionTemplate) error {
  390. if r.ID.String() == "" {
  391. return errors.New("role id cannot be empty")
  392. }
  393. _, err := database.FetchRecord(database.USER_PERMISSIONS_TABLE_NAME, r.ID.String())
  394. if err != nil {
  395. return err
  396. }
  397. d, err := json.Marshal(r)
  398. if err != nil {
  399. return err
  400. }
  401. return database.Insert(r.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME)
  402. }
  403. // DeleteRole - deletes user role
  404. func DeleteRole(rid models.UserRoleID, force bool) error {
  405. if rid.String() == "" {
  406. return errors.New("role id cannot be empty")
  407. }
  408. users, err := logic.GetUsersDB()
  409. if err != nil {
  410. return err
  411. }
  412. role, err := logic.GetRole(rid)
  413. if err != nil {
  414. return err
  415. }
  416. if role.NetworkID == "" {
  417. return errors.New("cannot delete platform role")
  418. }
  419. // allow deletion of default network roles if network doesn't exist
  420. if role.NetworkID == models.AllNetworks {
  421. return errors.New("cannot delete default network role")
  422. }
  423. // check if network exists
  424. exists, _ := logic.NetworkExists(role.NetworkID.String())
  425. if role.Default {
  426. if exists && !force {
  427. return errors.New("cannot delete default role")
  428. }
  429. }
  430. for _, user := range users {
  431. for userG := range user.UserGroups {
  432. ug, err := GetUserGroup(userG)
  433. if err == nil {
  434. if role.NetworkID != "" {
  435. for netID, networkRoles := range ug.NetworkRoles {
  436. if _, ok := networkRoles[rid]; ok {
  437. delete(networkRoles, rid)
  438. ug.NetworkRoles[netID] = networkRoles
  439. UpdateUserGroup(ug)
  440. }
  441. }
  442. }
  443. }
  444. }
  445. if user.PlatformRoleID == rid {
  446. err = errors.New("active roles cannot be deleted.switch existing users to a new role before deleting")
  447. return err
  448. }
  449. if role.NetworkID != "" {
  450. for netID, networkRoles := range user.NetworkRoles {
  451. if _, ok := networkRoles[rid]; ok {
  452. delete(networkRoles, rid)
  453. user.NetworkRoles[netID] = networkRoles
  454. logic.UpsertUser(user)
  455. }
  456. }
  457. }
  458. }
  459. return database.DeleteRecord(database.USER_PERMISSIONS_TABLE_NAME, rid.String())
  460. }
  461. func ValidateCreateGroupReq(g models.UserGroup) error {
  462. // check if network roles are valid
  463. for _, roleMap := range g.NetworkRoles {
  464. for roleID := range roleMap {
  465. role, err := logic.GetRole(roleID)
  466. if err != nil {
  467. return fmt.Errorf("invalid network role %s", roleID)
  468. }
  469. if role.NetworkID == "" {
  470. return errors.New("platform role cannot be used as network role")
  471. }
  472. }
  473. }
  474. return nil
  475. }
  476. func ValidateUpdateGroupReq(g models.UserGroup) error {
  477. for networkID := range g.NetworkRoles {
  478. userRolesMap := g.NetworkRoles[networkID]
  479. for roleID := range userRolesMap {
  480. netRole, err := logic.GetRole(roleID)
  481. if err != nil {
  482. err = fmt.Errorf("invalid network role")
  483. return err
  484. }
  485. if netRole.NetworkID == "" {
  486. return errors.New("platform role cannot be used as network role")
  487. }
  488. }
  489. }
  490. return nil
  491. }
  492. // CreateUserGroup - creates new user group
  493. func CreateUserGroup(g models.UserGroup) error {
  494. // check if role already exists
  495. if g.ID == "" {
  496. return errors.New("group id cannot be empty")
  497. }
  498. _, err := database.FetchRecord(database.USER_GROUPS_TABLE_NAME, g.ID.String())
  499. if err == nil {
  500. return errors.New("group already exists")
  501. }
  502. d, err := json.Marshal(g)
  503. if err != nil {
  504. return err
  505. }
  506. return database.Insert(g.ID.String(), string(d), database.USER_GROUPS_TABLE_NAME)
  507. }
  508. // GetUserGroup - fetches user group
  509. func GetUserGroup(gid models.UserGroupID) (models.UserGroup, error) {
  510. d, err := database.FetchRecord(database.USER_GROUPS_TABLE_NAME, gid.String())
  511. if err != nil {
  512. return models.UserGroup{}, err
  513. }
  514. var ug models.UserGroup
  515. err = json.Unmarshal([]byte(d), &ug)
  516. if err != nil {
  517. return ug, err
  518. }
  519. return ug, nil
  520. }
  521. // ListUserGroups - lists user groups
  522. func ListUserGroups() ([]models.UserGroup, error) {
  523. data, err := database.FetchRecords(database.USER_GROUPS_TABLE_NAME)
  524. if err != nil && !database.IsEmptyRecord(err) {
  525. return []models.UserGroup{}, err
  526. }
  527. userGroups := []models.UserGroup{}
  528. for _, dataI := range data {
  529. userGroup := models.UserGroup{}
  530. err := json.Unmarshal([]byte(dataI), &userGroup)
  531. if err != nil {
  532. continue
  533. }
  534. userGroups = append(userGroups, userGroup)
  535. }
  536. return userGroups, nil
  537. }
  538. // UpdateUserGroup - updates new user group
  539. func UpdateUserGroup(g models.UserGroup) error {
  540. // check if group exists
  541. if g.ID == "" {
  542. return errors.New("group id cannot be empty")
  543. }
  544. _, err := database.FetchRecord(database.USER_GROUPS_TABLE_NAME, g.ID.String())
  545. if err != nil {
  546. return err
  547. }
  548. d, err := json.Marshal(g)
  549. if err != nil {
  550. return err
  551. }
  552. return database.Insert(g.ID.String(), string(d), database.USER_GROUPS_TABLE_NAME)
  553. }
  554. // DeleteUserGroup - deletes user group
  555. func DeleteUserGroup(gid models.UserGroupID) error {
  556. users, err := logic.GetUsersDB()
  557. if err != nil {
  558. return err
  559. }
  560. for _, user := range users {
  561. delete(user.UserGroups, gid)
  562. logic.UpsertUser(user)
  563. }
  564. return database.DeleteRecord(database.USER_GROUPS_TABLE_NAME, gid.String())
  565. }
  566. func HasNetworkRsrcScope(permissionTemplate models.UserRolePermissionTemplate, netid string, rsrcType models.RsrcType, rsrcID models.RsrcID, op string) bool {
  567. if permissionTemplate.FullAccess {
  568. return true
  569. }
  570. rsrcScope, ok := permissionTemplate.NetworkLevelAccess[rsrcType]
  571. if !ok {
  572. return false
  573. }
  574. _, ok = rsrcScope[rsrcID]
  575. return ok
  576. }
  577. func GetUserRAGNodesV1(user models.User) (gws map[string]models.Node) {
  578. gws = make(map[string]models.Node)
  579. nodes, err := logic.GetAllNodes()
  580. if err != nil {
  581. return
  582. }
  583. if user.PlatformRoleID == models.AdminRole || user.PlatformRoleID == models.SuperAdminRole {
  584. for _, node := range nodes {
  585. if node.IsIngressGateway {
  586. gws[node.ID.String()] = node
  587. }
  588. }
  589. }
  590. tagNodesMap := logic.GetTagMapWithNodes()
  591. accessPolices := logic.ListUserPolicies(user)
  592. for _, policyI := range accessPolices {
  593. if !policyI.Enabled {
  594. continue
  595. }
  596. for _, dstI := range policyI.Dst {
  597. if dstI.Value == "*" {
  598. networkNodes := logic.GetNetworkNodesMemory(nodes, policyI.NetworkID.String())
  599. for _, node := range networkNodes {
  600. if node.IsIngressGateway {
  601. gws[node.ID.String()] = node
  602. }
  603. }
  604. }
  605. if nodes, ok := tagNodesMap[models.TagID(dstI.Value)]; ok {
  606. for _, node := range nodes {
  607. if node.IsIngressGateway {
  608. gws[node.ID.String()] = node
  609. }
  610. }
  611. }
  612. }
  613. }
  614. return
  615. }
  616. func GetUserRAGNodes(user models.User) (gws map[string]models.Node) {
  617. gws = make(map[string]models.Node)
  618. userGwAccessScope := GetUserNetworkRolesWithRemoteVPNAccess(user)
  619. logger.Log(3, fmt.Sprintf("User Gw Access Scope: %+v", userGwAccessScope))
  620. _, allNetAccess := userGwAccessScope["*"]
  621. nodes, err := logic.GetAllNodes()
  622. if err != nil {
  623. return
  624. }
  625. for _, node := range nodes {
  626. if node.IsIngressGateway && !node.PendingDelete {
  627. if allNetAccess {
  628. gws[node.ID.String()] = node
  629. } else {
  630. gwRsrcMap := userGwAccessScope[models.NetworkID(node.Network)]
  631. scope, ok := gwRsrcMap[models.AllRemoteAccessGwRsrcID]
  632. if !ok {
  633. if scope, ok = gwRsrcMap[models.RsrcID(node.ID.String())]; !ok {
  634. continue
  635. }
  636. }
  637. if scope.VPNaccess {
  638. gws[node.ID.String()] = node
  639. }
  640. }
  641. }
  642. }
  643. return
  644. }
  645. // GetUserNetworkRoles - get user network roles
  646. func GetUserNetworkRolesWithRemoteVPNAccess(user models.User) (gwAccess map[models.NetworkID]map[models.RsrcID]models.RsrcPermissionScope) {
  647. gwAccess = make(map[models.NetworkID]map[models.RsrcID]models.RsrcPermissionScope)
  648. platformRole, err := logic.GetRole(user.PlatformRoleID)
  649. if err != nil {
  650. return
  651. }
  652. if platformRole.FullAccess {
  653. gwAccess[models.NetworkID("*")] = make(map[models.RsrcID]models.RsrcPermissionScope)
  654. return
  655. }
  656. if _, ok := user.NetworkRoles[models.AllNetworks]; ok {
  657. gwAccess[models.NetworkID("*")] = make(map[models.RsrcID]models.RsrcPermissionScope)
  658. return
  659. }
  660. if len(user.UserGroups) > 0 {
  661. for gID := range user.UserGroups {
  662. userG, err := GetUserGroup(gID)
  663. if err != nil {
  664. continue
  665. }
  666. if _, ok := userG.NetworkRoles[models.AllNetworks]; ok {
  667. gwAccess[models.NetworkID("*")] = make(map[models.RsrcID]models.RsrcPermissionScope)
  668. return
  669. }
  670. for netID, roleMap := range userG.NetworkRoles {
  671. for roleID := range roleMap {
  672. role, err := logic.GetRole(roleID)
  673. if err == nil {
  674. if role.FullAccess {
  675. gwAccess[netID] = map[models.RsrcID]models.RsrcPermissionScope{
  676. models.AllRemoteAccessGwRsrcID: {
  677. Create: true,
  678. Read: true,
  679. Update: true,
  680. VPNaccess: true,
  681. Delete: true,
  682. },
  683. models.AllExtClientsRsrcID: {
  684. Create: true,
  685. Read: true,
  686. Update: true,
  687. Delete: true,
  688. },
  689. }
  690. break
  691. }
  692. if rsrcsMap, ok := role.NetworkLevelAccess[models.RemoteAccessGwRsrc]; ok {
  693. if permissions, ok := rsrcsMap[models.AllRemoteAccessGwRsrcID]; ok && permissions.VPNaccess {
  694. if len(gwAccess[netID]) == 0 {
  695. gwAccess[netID] = make(map[models.RsrcID]models.RsrcPermissionScope)
  696. }
  697. gwAccess[netID][models.AllRemoteAccessGwRsrcID] = permissions
  698. break
  699. } else {
  700. for gwID, scope := range rsrcsMap {
  701. if scope.VPNaccess {
  702. if len(gwAccess[netID]) == 0 {
  703. gwAccess[netID] = make(map[models.RsrcID]models.RsrcPermissionScope)
  704. }
  705. gwAccess[netID][gwID] = scope
  706. }
  707. }
  708. }
  709. }
  710. }
  711. }
  712. }
  713. }
  714. }
  715. for netID, roleMap := range user.NetworkRoles {
  716. for roleID := range roleMap {
  717. role, err := logic.GetRole(roleID)
  718. if err == nil {
  719. if role.FullAccess {
  720. gwAccess[netID] = map[models.RsrcID]models.RsrcPermissionScope{
  721. models.AllRemoteAccessGwRsrcID: {
  722. Create: true,
  723. Read: true,
  724. Update: true,
  725. VPNaccess: true,
  726. Delete: true,
  727. },
  728. models.AllExtClientsRsrcID: {
  729. Create: true,
  730. Read: true,
  731. Update: true,
  732. Delete: true,
  733. },
  734. }
  735. break
  736. }
  737. if rsrcsMap, ok := role.NetworkLevelAccess[models.RemoteAccessGwRsrc]; ok {
  738. if permissions, ok := rsrcsMap[models.AllRemoteAccessGwRsrcID]; ok && permissions.VPNaccess {
  739. if len(gwAccess[netID]) == 0 {
  740. gwAccess[netID] = make(map[models.RsrcID]models.RsrcPermissionScope)
  741. }
  742. gwAccess[netID][models.AllRemoteAccessGwRsrcID] = permissions
  743. break
  744. } else {
  745. for gwID, scope := range rsrcsMap {
  746. if scope.VPNaccess {
  747. if len(gwAccess[netID]) == 0 {
  748. gwAccess[netID] = make(map[models.RsrcID]models.RsrcPermissionScope)
  749. }
  750. gwAccess[netID][gwID] = scope
  751. }
  752. }
  753. }
  754. }
  755. }
  756. }
  757. }
  758. return
  759. }
  760. func GetFilteredNodesByUserAccess(user models.User, nodes []models.Node) (filteredNodes []models.Node) {
  761. nodesMap := make(map[string]struct{})
  762. allNetworkRoles := make(map[models.UserRoleID]struct{})
  763. defer func() {
  764. filteredNodes = logic.AddStaticNodestoList(filteredNodes)
  765. }()
  766. if len(user.NetworkRoles) > 0 {
  767. for _, netRoles := range user.NetworkRoles {
  768. for netRoleI := range netRoles {
  769. allNetworkRoles[netRoleI] = struct{}{}
  770. }
  771. }
  772. }
  773. if _, ok := user.NetworkRoles[models.AllNetworks]; ok {
  774. filteredNodes = nodes
  775. return
  776. }
  777. if len(user.UserGroups) > 0 {
  778. for userGID := range user.UserGroups {
  779. userG, err := GetUserGroup(userGID)
  780. if err == nil {
  781. if len(userG.NetworkRoles) > 0 {
  782. if _, ok := userG.NetworkRoles[models.AllNetworks]; ok {
  783. filteredNodes = nodes
  784. return
  785. }
  786. for _, netRoles := range userG.NetworkRoles {
  787. for netRoleI := range netRoles {
  788. allNetworkRoles[netRoleI] = struct{}{}
  789. }
  790. }
  791. }
  792. }
  793. }
  794. }
  795. for networkRoleID := range allNetworkRoles {
  796. userPermTemplate, err := logic.GetRole(networkRoleID)
  797. if err != nil {
  798. continue
  799. }
  800. networkNodes := logic.GetNetworkNodesMemory(nodes, userPermTemplate.NetworkID.String())
  801. if userPermTemplate.FullAccess {
  802. for _, node := range networkNodes {
  803. if _, ok := nodesMap[node.ID.String()]; ok {
  804. continue
  805. }
  806. nodesMap[node.ID.String()] = struct{}{}
  807. filteredNodes = append(filteredNodes, node)
  808. }
  809. continue
  810. }
  811. if rsrcPerms, ok := userPermTemplate.NetworkLevelAccess[models.RemoteAccessGwRsrc]; ok {
  812. if _, ok := rsrcPerms[models.AllRemoteAccessGwRsrcID]; ok {
  813. for _, node := range networkNodes {
  814. if _, ok := nodesMap[node.ID.String()]; ok {
  815. continue
  816. }
  817. if node.IsIngressGateway {
  818. nodesMap[node.ID.String()] = struct{}{}
  819. filteredNodes = append(filteredNodes, node)
  820. }
  821. }
  822. } else {
  823. for gwID, scope := range rsrcPerms {
  824. if _, ok := nodesMap[gwID.String()]; ok {
  825. continue
  826. }
  827. if scope.Read {
  828. gwNode, err := logic.GetNodeByID(gwID.String())
  829. if err == nil && gwNode.IsIngressGateway {
  830. nodesMap[gwNode.ID.String()] = struct{}{}
  831. filteredNodes = append(filteredNodes, gwNode)
  832. }
  833. }
  834. }
  835. }
  836. }
  837. }
  838. return
  839. }
  840. func FilterNetworksByRole(allnetworks []models.Network, user models.User) []models.Network {
  841. platformRole, err := logic.GetRole(user.PlatformRoleID)
  842. if err != nil {
  843. return []models.Network{}
  844. }
  845. if !platformRole.FullAccess {
  846. allNetworkRoles := make(map[models.NetworkID]struct{})
  847. if len(user.NetworkRoles) > 0 {
  848. for netID := range user.NetworkRoles {
  849. if netID == models.AllNetworks {
  850. return allnetworks
  851. }
  852. allNetworkRoles[netID] = struct{}{}
  853. }
  854. }
  855. if len(user.UserGroups) > 0 {
  856. for userGID := range user.UserGroups {
  857. userG, err := GetUserGroup(userGID)
  858. if err == nil {
  859. if len(userG.NetworkRoles) > 0 {
  860. for netID := range userG.NetworkRoles {
  861. if netID == models.AllNetworks {
  862. return allnetworks
  863. }
  864. allNetworkRoles[netID] = struct{}{}
  865. }
  866. }
  867. }
  868. }
  869. }
  870. filteredNetworks := []models.Network{}
  871. for _, networkI := range allnetworks {
  872. if _, ok := allNetworkRoles[models.NetworkID(networkI.NetID)]; ok {
  873. filteredNetworks = append(filteredNetworks, networkI)
  874. }
  875. }
  876. allnetworks = filteredNetworks
  877. }
  878. return allnetworks
  879. }
  880. func IsGroupsValid(groups map[models.UserGroupID]struct{}) error {
  881. for groupID := range groups {
  882. _, err := GetUserGroup(groupID)
  883. if err != nil {
  884. return fmt.Errorf("user group `%s` not found", groupID)
  885. }
  886. }
  887. return nil
  888. }
  889. func IsGroupValid(groupID models.UserGroupID) error {
  890. _, err := GetUserGroup(groupID)
  891. if err != nil {
  892. return fmt.Errorf("user group `%s` not found", groupID)
  893. }
  894. return nil
  895. }
  896. func IsNetworkRolesValid(networkRoles map[models.NetworkID]map[models.UserRoleID]struct{}) error {
  897. for netID, netRoles := range networkRoles {
  898. if netID != models.AllNetworks {
  899. _, err := logic.GetNetwork(netID.String())
  900. if err != nil {
  901. return fmt.Errorf("failed to fetch network %s ", netID)
  902. }
  903. }
  904. for netRoleID := range netRoles {
  905. role, err := logic.GetRole(netRoleID)
  906. if err != nil {
  907. return fmt.Errorf("failed to fetch role %s ", netRoleID)
  908. }
  909. if role.NetworkID == "" {
  910. return fmt.Errorf("cannot use platform as network role %s", netRoleID)
  911. }
  912. }
  913. }
  914. return nil
  915. }
  916. // PrepareOauthUserFromInvite - init oauth user before create
  917. func PrepareOauthUserFromInvite(in models.UserInvite) (models.User, error) {
  918. var newPass, fetchErr = logic.FetchPassValue("")
  919. if fetchErr != nil {
  920. return models.User{}, fetchErr
  921. }
  922. user := models.User{
  923. UserName: in.Email,
  924. Password: newPass,
  925. }
  926. user.UserGroups = in.UserGroups
  927. user.NetworkRoles = in.NetworkRoles
  928. user.PlatformRoleID = models.UserRoleID(in.PlatformRoleID)
  929. if user.PlatformRoleID == "" {
  930. user.PlatformRoleID = models.ServiceUser
  931. }
  932. return user, nil
  933. }
  934. func UpdatesUserGwAccessOnRoleUpdates(currNetworkAccess,
  935. changeNetworkAccess map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope, netID string) {
  936. networkChangeMap := make(map[models.RsrcID]models.RsrcPermissionScope)
  937. for rsrcType, RsrcPermsMap := range currNetworkAccess {
  938. if rsrcType != models.RemoteAccessGwRsrc {
  939. continue
  940. }
  941. if _, ok := changeNetworkAccess[rsrcType]; !ok {
  942. for rsrcID, scope := range RsrcPermsMap {
  943. networkChangeMap[rsrcID] = scope
  944. }
  945. } else {
  946. for rsrcID, scope := range RsrcPermsMap {
  947. if _, ok := changeNetworkAccess[rsrcType][rsrcID]; !ok {
  948. networkChangeMap[rsrcID] = scope
  949. }
  950. }
  951. }
  952. }
  953. extclients, err := logic.GetAllExtClients()
  954. if err != nil {
  955. slog.Error("failed to fetch extclients", "error", err)
  956. return
  957. }
  958. userMap, err := logic.GetUserMap()
  959. if err != nil {
  960. return
  961. }
  962. for _, extclient := range extclients {
  963. if extclient.Network != netID {
  964. continue
  965. }
  966. if _, ok := networkChangeMap[models.AllRemoteAccessGwRsrcID]; ok {
  967. if user, ok := userMap[extclient.OwnerID]; ok {
  968. if user.PlatformRoleID != models.ServiceUser {
  969. continue
  970. }
  971. err = logic.DeleteExtClientAndCleanup(extclient)
  972. if err != nil {
  973. slog.Error("failed to delete extclient",
  974. "id", extclient.ClientID, "owner", user.UserName, "error", err)
  975. } else {
  976. if err := mq.PublishDeletedClientPeerUpdate(&extclient); err != nil {
  977. slog.Error("error setting ext peers: " + err.Error())
  978. }
  979. }
  980. }
  981. continue
  982. }
  983. if _, ok := networkChangeMap[models.RsrcID(extclient.IngressGatewayID)]; ok {
  984. if user, ok := userMap[extclient.OwnerID]; ok {
  985. if user.PlatformRoleID != models.ServiceUser {
  986. continue
  987. }
  988. err = logic.DeleteExtClientAndCleanup(extclient)
  989. if err != nil {
  990. slog.Error("failed to delete extclient",
  991. "id", extclient.ClientID, "owner", user.UserName, "error", err)
  992. } else {
  993. if err := mq.PublishDeletedClientPeerUpdate(&extclient); err != nil {
  994. slog.Error("error setting ext peers: " + err.Error())
  995. }
  996. }
  997. }
  998. }
  999. }
  1000. if servercfg.IsDNSMode() {
  1001. logic.SetDNS()
  1002. }
  1003. }
  1004. func UpdatesUserGwAccessOnGrpUpdates(currNetworkRoles, changeNetworkRoles map[models.NetworkID]map[models.UserRoleID]struct{}) {
  1005. networkChangeMap := make(map[models.NetworkID]map[models.UserRoleID]struct{})
  1006. for netID, networkUserRoles := range currNetworkRoles {
  1007. if _, ok := changeNetworkRoles[netID]; !ok {
  1008. for netRoleID := range networkUserRoles {
  1009. if _, ok := networkChangeMap[netID]; !ok {
  1010. networkChangeMap[netID] = make(map[models.UserRoleID]struct{})
  1011. }
  1012. networkChangeMap[netID][netRoleID] = struct{}{}
  1013. }
  1014. } else {
  1015. for netRoleID := range networkUserRoles {
  1016. if _, ok := changeNetworkRoles[netID][netRoleID]; !ok {
  1017. if _, ok := networkChangeMap[netID]; !ok {
  1018. networkChangeMap[netID] = make(map[models.UserRoleID]struct{})
  1019. }
  1020. networkChangeMap[netID][netRoleID] = struct{}{}
  1021. }
  1022. }
  1023. }
  1024. }
  1025. extclients, err := logic.GetAllExtClients()
  1026. if err != nil {
  1027. slog.Error("failed to fetch extclients", "error", err)
  1028. return
  1029. }
  1030. userMap, err := logic.GetUserMap()
  1031. if err != nil {
  1032. return
  1033. }
  1034. for _, extclient := range extclients {
  1035. if _, ok := networkChangeMap[models.NetworkID(extclient.Network)]; ok {
  1036. if user, ok := userMap[extclient.OwnerID]; ok {
  1037. if user.PlatformRoleID != models.ServiceUser {
  1038. continue
  1039. }
  1040. err = logic.DeleteExtClientAndCleanup(extclient)
  1041. if err != nil {
  1042. slog.Error("failed to delete extclient",
  1043. "id", extclient.ClientID, "owner", user.UserName, "error", err)
  1044. } else {
  1045. if err := mq.PublishDeletedClientPeerUpdate(&extclient); err != nil {
  1046. slog.Error("error setting ext peers: " + err.Error())
  1047. }
  1048. }
  1049. }
  1050. }
  1051. }
  1052. if servercfg.IsDNSMode() {
  1053. logic.SetDNS()
  1054. }
  1055. }
  1056. func UpdateUserGwAccess(currentUser, changeUser models.User) {
  1057. if changeUser.PlatformRoleID != models.ServiceUser {
  1058. return
  1059. }
  1060. networkChangeMap := make(map[models.NetworkID]map[models.UserRoleID]struct{})
  1061. for netID, networkUserRoles := range currentUser.NetworkRoles {
  1062. if _, ok := changeUser.NetworkRoles[netID]; !ok {
  1063. for netRoleID := range networkUserRoles {
  1064. if _, ok := networkChangeMap[netID]; !ok {
  1065. networkChangeMap[netID] = make(map[models.UserRoleID]struct{})
  1066. }
  1067. networkChangeMap[netID][netRoleID] = struct{}{}
  1068. }
  1069. } else {
  1070. for netRoleID := range networkUserRoles {
  1071. if _, ok := changeUser.NetworkRoles[netID][netRoleID]; !ok {
  1072. if _, ok := networkChangeMap[netID]; !ok {
  1073. networkChangeMap[netID] = make(map[models.UserRoleID]struct{})
  1074. }
  1075. networkChangeMap[netID][netRoleID] = struct{}{}
  1076. }
  1077. }
  1078. }
  1079. }
  1080. for gID := range currentUser.UserGroups {
  1081. if _, ok := changeUser.UserGroups[gID]; ok {
  1082. continue
  1083. }
  1084. userG, err := GetUserGroup(gID)
  1085. if err == nil {
  1086. for netID, networkUserRoles := range userG.NetworkRoles {
  1087. for netRoleID := range networkUserRoles {
  1088. if _, ok := networkChangeMap[netID]; !ok {
  1089. networkChangeMap[netID] = make(map[models.UserRoleID]struct{})
  1090. }
  1091. networkChangeMap[netID][netRoleID] = struct{}{}
  1092. }
  1093. }
  1094. }
  1095. }
  1096. if len(networkChangeMap) == 0 {
  1097. return
  1098. }
  1099. // TODO - cleanup gw access when role and groups are updated
  1100. //removedGwAccess
  1101. extclients, err := logic.GetAllExtClients()
  1102. if err != nil {
  1103. slog.Error("failed to fetch extclients", "error", err)
  1104. return
  1105. }
  1106. for _, extclient := range extclients {
  1107. if extclient.OwnerID == currentUser.UserName {
  1108. if _, ok := networkChangeMap[models.NetworkID(extclient.Network)]; ok {
  1109. err = logic.DeleteExtClientAndCleanup(extclient)
  1110. if err != nil {
  1111. slog.Error("failed to delete extclient",
  1112. "id", extclient.ClientID, "owner", changeUser.UserName, "error", err)
  1113. } else {
  1114. if err := mq.PublishDeletedClientPeerUpdate(&extclient); err != nil {
  1115. slog.Error("error setting ext peers: " + err.Error())
  1116. }
  1117. }
  1118. }
  1119. }
  1120. }
  1121. if servercfg.IsDNSMode() {
  1122. logic.SetDNS()
  1123. }
  1124. }
  1125. func CreateDefaultUserPolicies(netID models.NetworkID) {
  1126. if netID.String() == "" {
  1127. return
  1128. }
  1129. if !logic.IsAclExists(fmt.Sprintf("%s.%s-grp", netID, models.NetworkAdmin)) {
  1130. defaultUserAcl := models.Acl{
  1131. ID: fmt.Sprintf("%s.%s-grp", netID, models.NetworkAdmin),
  1132. Name: "Network Admin",
  1133. MetaData: "This Policy allows all network admins to communicate with all remote access gateways",
  1134. Default: true,
  1135. ServiceType: models.Any,
  1136. NetworkID: netID,
  1137. Proto: models.ALL,
  1138. RuleType: models.UserPolicy,
  1139. Src: []models.AclPolicyTag{
  1140. {
  1141. ID: models.UserGroupAclID,
  1142. Value: fmt.Sprintf("%s-%s-grp", netID, models.NetworkAdmin),
  1143. },
  1144. {
  1145. ID: models.UserGroupAclID,
  1146. Value: fmt.Sprintf("global-%s-grp", models.NetworkAdmin),
  1147. },
  1148. },
  1149. Dst: []models.AclPolicyTag{
  1150. {
  1151. ID: models.DeviceAclID,
  1152. Value: fmt.Sprintf("%s.%s", netID, models.RemoteAccessTagName),
  1153. }},
  1154. AllowedDirection: models.TrafficDirectionUni,
  1155. Enabled: true,
  1156. CreatedBy: "auto",
  1157. CreatedAt: time.Now().UTC(),
  1158. }
  1159. logic.InsertAcl(defaultUserAcl)
  1160. }
  1161. if !logic.IsAclExists(fmt.Sprintf("%s.%s-grp", netID, models.NetworkUser)) {
  1162. defaultUserAcl := models.Acl{
  1163. ID: fmt.Sprintf("%s.%s-grp", netID, models.NetworkUser),
  1164. Name: "Network User",
  1165. MetaData: "This Policy allows all network users to communicate with all remote access gateways",
  1166. Default: true,
  1167. ServiceType: models.Any,
  1168. NetworkID: netID,
  1169. Proto: models.ALL,
  1170. RuleType: models.UserPolicy,
  1171. Src: []models.AclPolicyTag{
  1172. {
  1173. ID: models.UserGroupAclID,
  1174. Value: fmt.Sprintf("%s-%s-grp", netID, models.NetworkUser),
  1175. },
  1176. {
  1177. ID: models.UserGroupAclID,
  1178. Value: fmt.Sprintf("global-%s-grp", models.NetworkUser),
  1179. },
  1180. },
  1181. Dst: []models.AclPolicyTag{
  1182. {
  1183. ID: models.DeviceAclID,
  1184. Value: fmt.Sprintf("%s.%s", netID, models.RemoteAccessTagName),
  1185. }},
  1186. AllowedDirection: models.TrafficDirectionUni,
  1187. Enabled: true,
  1188. CreatedBy: "auto",
  1189. CreatedAt: time.Now().UTC(),
  1190. }
  1191. logic.InsertAcl(defaultUserAcl)
  1192. }
  1193. }
  1194. func GetUserGroupsInNetwork(netID models.NetworkID) (networkGrps map[models.UserGroupID]models.UserGroup) {
  1195. groups, _ := ListUserGroups()
  1196. networkGrps = make(map[models.UserGroupID]models.UserGroup)
  1197. for _, grp := range groups {
  1198. if _, ok := grp.NetworkRoles[models.AllNetworks]; ok {
  1199. networkGrps[grp.ID] = grp
  1200. continue
  1201. }
  1202. if _, ok := grp.NetworkRoles[netID]; ok {
  1203. networkGrps[grp.ID] = grp
  1204. }
  1205. }
  1206. return
  1207. }
  1208. func AddGlobalNetRolesToAdmins(u models.User) {
  1209. if u.PlatformRoleID != models.SuperAdminRole && u.PlatformRoleID != models.AdminRole {
  1210. return
  1211. }
  1212. u.UserGroups = make(map[models.UserGroupID]struct{})
  1213. u.UserGroups[models.UserGroupID(fmt.Sprintf("global-%s-grp", models.NetworkAdmin))] = struct{}{}
  1214. logic.UpsertUser(u)
  1215. }