Эхлэл Бүгдийг харах Тусламж
Нэвтрэх
golang
/
netmaker
-ын хуулбар https://github.com/gravitl/netmaker
2
0
Салаа 0
Файлууд Асуудлууд 0 Мэдлэгийн сан
Салаа: patch/idp-integration
Салаанууд Тагууд
netmaker
/
controllers
/
user.go

user.go 28 KB
Байнгын холболт Түүх Анхны өгөгдөл

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816 
  1. package controller
    2. 

  2. 

  3. import (
    4. 

  4. 	"encoding/json"
    5. 

  5. 	"errors"
    6. 

  6. 	"fmt"
    7. 

  7. 	"net/http"
    8. 

  8. 	"reflect"
    9. 

  9. 

  10. 	"github.com/gorilla/mux"
    11. 

  11. 	"github.com/gorilla/websocket"
    12. 

  12. 	"github.com/gravitl/netmaker/auth"
    13. 

  13. 	"github.com/gravitl/netmaker/logger"
    14. 

  14. 	"github.com/gravitl/netmaker/logic"
    15. 

  15. 	"github.com/gravitl/netmaker/models"
    16. 

  16. 	"github.com/gravitl/netmaker/mq"
    17. 

  17. 	"github.com/gravitl/netmaker/servercfg"
    18. 

  18. 	"golang.org/x/exp/slog"
    19. 

  19. )
    20. 

  20. 

  21. var (
    22. 

  22. 	upgrader = websocket.Upgrader{}
    23. 

  23. )
    24. 

  24. 

  25. var ListRoles = listRoles
    26. 

  26. 

  27. func userHandlers(r *mux.Router) {
    28. 

  28. 	r.HandleFunc("/api/users/adm/hassuperadmin", hasSuperAdmin).Methods(http.MethodGet)
    29. 

  29. 	r.HandleFunc("/api/users/adm/createsuperadmin", createSuperAdmin).Methods(http.MethodPost)
    30. 

  30. 	r.HandleFunc("/api/users/adm/transfersuperadmin/{username}", logic.SecurityCheck(true, http.HandlerFunc(transferSuperAdmin))).
    31. 

  31. 		Methods(http.MethodPost)
    32. 

  32. 	r.HandleFunc("/api/users/adm/authenticate", authenticateUser).Methods(http.MethodPost)
    33. 

  33. 	r.HandleFunc("/api/users/{username}", logic.SecurityCheck(true, http.HandlerFunc(updateUser))).Methods(http.MethodPut)
    34. 

  34. 	r.HandleFunc("/api/users/{username}", logic.SecurityCheck(true, checkFreeTierLimits(limitChoiceUsers, http.HandlerFunc(createUser)))).Methods(http.MethodPost)
    35. 

  35. 	r.HandleFunc("/api/users/{username}", logic.SecurityCheck(true, http.HandlerFunc(deleteUser))).Methods(http.MethodDelete)
    36. 

  36. 	r.HandleFunc("/api/users/{username}", logic.SecurityCheck(false, logic.ContinueIfUserMatch(http.HandlerFunc(getUser)))).Methods(http.MethodGet)
    37. 

  37. 	r.HandleFunc("/api/users/{username}/enable", logic.SecurityCheck(true, http.HandlerFunc(enableUserAccount))).Methods(http.MethodPost)
    38. 

  38. 	r.HandleFunc("/api/users/{username}/disable", logic.SecurityCheck(true, http.HandlerFunc(disableUserAccount))).Methods(http.MethodPost)
    39. 

  39. 	r.HandleFunc("/api/v1/users", logic.SecurityCheck(false, logic.ContinueIfUserMatch(http.HandlerFunc(getUserV1)))).Methods(http.MethodGet)
    40. 

  40. 	r.HandleFunc("/api/users", logic.SecurityCheck(true, http.HandlerFunc(getUsers))).Methods(http.MethodGet)
    41. 

  41. 	r.HandleFunc("/api/v1/users/roles", logic.SecurityCheck(true, http.HandlerFunc(ListRoles))).Methods(http.MethodGet)
    42. 

  42. }
    43. 

  43. 

  44. // @Summary     Authenticate a user to retrieve an authorization token
    45. 

  45. // @Router      /api/users/adm/authenticate [post]
    46. 

  46. // @Tags        Auth
    47. 

  47. // @Accept      json
    48. 

  48. // @Param       body body models.UserAuthParams true "Authentication parameters"
    49. 

  49. // @Success     200 {object} models.SuccessResponse
    50. 

  50. // @Failure     400 {object} models.ErrorResponse
    51. 

  51. // @Failure     401 {object} models.ErrorResponse
    52. 

  52. // @Failure     500 {object} models.ErrorResponse
    53. 

  53. func authenticateUser(response http.ResponseWriter, request *http.Request) {
    54. 

  54. 

  55. 	// Auth request consists of Mac Address and Password (from node that is authorizing
    56. 

  56. 	// in case of Master, auth is ignored and mac is set to "mastermac"
    57. 

  57. 	var authRequest models.UserAuthParams
    58. 

  58. 	var errorResponse = models.ErrorResponse{
    59. 

  59. 		Code: http.StatusInternalServerError, Message: "W1R3: It's not you it's me.",
    60. 

  60. 	}
    61. 

  61. 

  62. 	decoder := json.NewDecoder(request.Body)
    63. 

  63. 	decoderErr := decoder.Decode(&authRequest)
    64. 

  64. 	defer request.Body.Close()
    65. 

  65. 	if decoderErr != nil {
    66. 

  66. 		logger.Log(0, "error decoding request body: ",
    67. 

  67. 			decoderErr.Error())
    68. 

  68. 		logic.ReturnErrorResponse(response, request, errorResponse)
    69. 

  69. 		return
    70. 

  70. 	}
    71. 

  71. 

  72. 	user, err := logic.GetUser(authRequest.UserName)
    73. 

  73. 	if err != nil {
    74. 

  74. 		logger.Log(0, authRequest.UserName, "user validation failed: ",
    75. 

  75. 			err.Error())
    76. 

  76. 		logic.ReturnErrorResponse(response, request, logic.FormatError(err, "unauthorized"))
    77. 

  77. 		return
    78. 

  78. 	}
    79. 

  79. 	if logic.IsOauthUser(user) == nil {
    80. 

  80. 		logic.ReturnErrorResponse(response, request, logic.FormatError(errors.New("user is registered via SSO"), "badrequest"))
    81. 

  81. 		return
    82. 

  82. 	}
    83. 

  83. 

  84. 	if user.AccountDisabled {
    85. 

  85. 		err = errors.New("user account disabled")
    86. 

  86. 		logic.ReturnErrorResponse(response, request, logic.FormatError(err, "unauthorized"))
    87. 

  87. 		return
    88. 

  88. 	}
    89. 

  89. 

  90. 	if !user.IsSuperAdmin && !logic.IsBasicAuthEnabled() {
    91. 

  91. 		logic.ReturnErrorResponse(
    92. 

  92. 			response,
    93. 

  93. 			request,
    94. 

  94. 			logic.FormatError(fmt.Errorf("basic auth is disabled"), "badrequest"),
    95. 

  95. 		)
    96. 

  96. 		return
    97. 

  97. 	}
    98. 

  98. 

  99. 	if val := request.Header.Get("From-Ui"); val == "true" {
    100. 

  100. 		// request came from UI, if normal user block Login
    101. 

  101. 		user, err := logic.GetUser(authRequest.UserName)
    102. 

  102. 		if err != nil {
    103. 

  103. 			logger.Log(0, authRequest.UserName, "user validation failed: ",
    104. 

  104. 				err.Error())
    105. 

  105. 			logic.ReturnErrorResponse(response, request, logic.FormatError(err, "unauthorized"))
    106. 

  106. 			return
    107. 

  107. 		}
    108. 

  108. 		role, err := logic.GetRole(user.PlatformRoleID)
    109. 

  109. 		if err != nil {
    110. 

  110. 			logic.ReturnErrorResponse(response, request, logic.FormatError(errors.New("access denied to dashboard"), "unauthorized"))
    111. 

  111. 			return
    112. 

  112. 		}
    113. 

  113. 		if role.DenyDashboardAccess {
    114. 

  114. 			logic.ReturnErrorResponse(response, request, logic.FormatError(errors.New("access denied to dashboard"), "unauthorized"))
    115. 

  115. 			return
    116. 

  116. 		}
    117. 

  117. 	}
    118. 

  118. 

  119. 	username := authRequest.UserName
    120. 

  120. 	jwt, err := logic.VerifyAuthRequest(authRequest)
    121. 

  121. 	if err != nil {
    122. 

  122. 		logger.Log(0, username, "user validation failed: ",
    123. 

  123. 			err.Error())
    124. 

  124. 		logic.ReturnErrorResponse(response, request, logic.FormatError(err, "badrequest"))
    125. 

  125. 		return
    126. 

  126. 	}
    127. 

  127. 

  128. 	if jwt == "" {
    129. 

  129. 		// very unlikely that err is !nil and no jwt returned, but handle it anyways.
    130. 

  130. 		logger.Log(0, username, "jwt token is empty")
    131. 

  131. 		logic.ReturnErrorResponse(
    132. 

  132. 			response,
    133. 

  133. 			request,
    134. 

  134. 			logic.FormatError(errors.New("no token returned"), "internal"),
    135. 

  135. 		)
    136. 

  136. 		return
    137. 

  137. 	}
    138. 

  138. 

  139. 	var successResponse = models.SuccessResponse{
    140. 

  140. 		Code:    http.StatusOK,
    141. 

  141. 		Message: "W1R3: Device " + username + " Authorized",
    142. 

  142. 		Response: models.SuccessfulUserLoginResponse{
    143. 

  143. 			AuthToken: jwt,
    144. 

  144. 			UserName:  username,
    145. 

  145. 		},
    146. 

  146. 	}
    147. 

  147. 	// Send back the JWT
    148. 

  148. 	successJSONResponse, jsonError := json.Marshal(successResponse)
    149. 

  149. 	if jsonError != nil {
    150. 

  150. 		logger.Log(0, username,
    151. 

  151. 			"error marshalling resp: ", jsonError.Error())
    152. 

  152. 		logic.ReturnErrorResponse(response, request, errorResponse)
    153. 

  153. 		return
    154. 

  154. 	}
    155. 

  155. 	logger.Log(2, username, "was authenticated")
    156. 

  156. 	response.Header().Set("Content-Type", "application/json")
    157. 

  157. 	response.Write(successJSONResponse)
    158. 

  158. 

  159. 	go func() {
    160. 

  160. 		if servercfg.IsPro && logic.GetRacAutoDisable() {
    161. 

  161. 			// enable all associeated clients for the user
    162. 

  162. 			clients, err := logic.GetAllExtClients()
    163. 

  163. 			if err != nil {
    164. 

  164. 				slog.Error("error getting clients: ", "error", err)
    165. 

  165. 				return
    166. 

  166. 			}
    167. 

  167. 			for _, client := range clients {
    168. 

  168. 				if client.OwnerID == username && !client.Enabled {
    169. 

  169. 					slog.Info(
    170. 

  170. 						fmt.Sprintf(
    171. 

  171. 							"enabling ext client %s for user %s due to RAC autodisabling feature",
    172. 

  172. 							client.ClientID,
    173. 

  173. 							client.OwnerID,
    174. 

  174. 						),
    175. 

  175. 					)
    176. 

  176. 					if newClient, err := logic.ToggleExtClientConnectivity(&client, true); err != nil {
    177. 

  177. 						slog.Error(
    178. 

  178. 							"error enabling ext client in RAC autodisable hook",
    179. 

  179. 							"error",
    180. 

  180. 							err,
    181. 

  181. 						)
    182. 

  182. 						continue // dont return but try for other clients
    183. 

  183. 					} else {
    184. 

  184. 						// publish peer update to ingress gateway
    185. 

  185. 						if ingressNode, err := logic.GetNodeByID(newClient.IngressGatewayID); err == nil {
    186. 

  186. 							if err = mq.PublishPeerUpdate(false); err != nil {
    187. 

  187. 								slog.Error("error updating ext clients on", "ingress", ingressNode.ID.String(), "err", err.Error())
    188. 

  188. 							}
    189. 

  189. 						}
    190. 

  190. 					}
    191. 

  191. 				}
    192. 

  192. 			}
    193. 

  193. 		}
    194. 

  194. 	}()
    195. 

  195. }
    196. 

  196. 

  197. // @Summary     Check if the server has a super admin
    198. 

  198. // @Router      /api/users/adm/hassuperadmin [get]
    199. 

  199. // @Tags        Users
    200. 

  200. // @Success     200 {object} bool
    201. 

  201. // @Failure     500 {object} models.ErrorResponse
    202. 

  202. func hasSuperAdmin(w http.ResponseWriter, r *http.Request) {
    203. 

  203. 

  204. 	w.Header().Set("Content-Type", "application/json")
    205. 

  205. 

  206. 	hasSuperAdmin, err := logic.HasSuperAdmin()
    207. 

  207. 	if err != nil {
    208. 

  208. 		logger.Log(0, "failed to check for admin: ", err.Error())
    209. 

  209. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    210. 

  210. 		return
    211. 

  211. 	}
    212. 

  212. 

  213. 	json.NewEncoder(w).Encode(hasSuperAdmin)
    214. 

  214. 

  215. }
    216. 

  216. 

  217. // @Summary     Get an individual user
    218. 

  218. // @Router      /api/users/{username} [get]
    219. 

  219. // @Tags        Users
    220. 

  220. // @Param       username path string true "Username of the user to fetch"
    221. 

  221. // @Success     200 {object} models.User
    222. 

  222. // @Failure     500 {object} models.ErrorResponse
    223. 

  223. func getUser(w http.ResponseWriter, r *http.Request) {
    224. 

  224. 	// set header.
    225. 

  225. 	w.Header().Set("Content-Type", "application/json")
    226. 

  226. 

  227. 	var params = mux.Vars(r)
    228. 

  228. 	usernameFetched := params["username"]
    229. 

  229. 	user, err := logic.GetReturnUser(usernameFetched)
    230. 

  230. 

  231. 	if err != nil {
    232. 

  232. 		logger.Log(0, usernameFetched, "failed to fetch user: ", err.Error())
    233. 

  233. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    234. 

  234. 		return
    235. 

  235. 	}
    236. 

  236. 	logger.Log(2, r.Header.Get("user"), "fetched user", usernameFetched)
    237. 

  237. 	json.NewEncoder(w).Encode(user)
    238. 

  238. }
    239. 

  239. 

  240. // @Summary     Enable a user's account
    241. 

  241. // @Router      /api/users/{username}/enable [post]
    242. 

  242. // @Tags        Users
    243. 

  243. // @Param       username path string true "Username of the user to enable"
    244. 

  244. // @Success     200 {object} models.SuccessResponse
    245. 

  245. // @Failure     400 {object} models.ErrorResponse
    246. 

  246. // @Failure     500 {object} models.ErrorResponse
    247. 

  247. func enableUserAccount(w http.ResponseWriter, r *http.Request) {
    248. 

  248. 	username := mux.Vars(r)["username"]
    249. 

  249. 	user, err := logic.GetUser(username)
    250. 

  250. 	if err != nil {
    251. 

  251. 		logger.Log(0, "failed to fetch user: ", err.Error())
    252. 

  252. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    253. 

  253. 		return
    254. 

  254. 	}
    255. 

  255. 

  256. 	user.AccountDisabled = false
    257. 

  257. 	err = logic.UpsertUser(*user)
    258. 

  258. 	if err != nil {
    259. 

  259. 		logger.Log(0, "failed to enable user account: ", err.Error())
    260. 

  260. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    261. 

  261. 	}
    262. 

  262. 

  263. 	logic.ReturnSuccessResponse(w, r, "user account enabled")
    264. 

  264. }
    265. 

  265. 

  266. // @Summary     Disable a user's account
    267. 

  267. // @Router      /api/users/{username}/disable [post]
    268. 

  268. // @Tags        Users
    269. 

  269. // @Param       username path string true "Username of the user to disable"
    270. 

  270. // @Success     200 {object} models.SuccessResponse
    271. 

  271. // @Failure     400 {object} models.ErrorResponse
    272. 

  272. // @Failure     500 {object} models.ErrorResponse
    273. 

  273. func disableUserAccount(w http.ResponseWriter, r *http.Request) {
    274. 

  274. 	username := mux.Vars(r)["username"]
    275. 

  275. 	user, err := logic.GetUser(username)
    276. 

  276. 	if err != nil {
    277. 

  277. 		logger.Log(0, "failed to fetch user: ", err.Error())
    278. 

  278. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    279. 

  279. 		return
    280. 

  280. 	}
    281. 

  281. 

  282. 	if user.PlatformRoleID == models.SuperAdminRole {
    283. 

  283. 		err = errors.New("cannot disable super-admin user account")
    284. 

  284. 		logger.Log(0, err.Error())
    285. 

  285. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    286. 

  286. 		return
    287. 

  287. 	}
    288. 

  288. 

  289. 	user.AccountDisabled = true
    290. 

  290. 	err = logic.UpsertUser(*user)
    291. 

  291. 	if err != nil {
    292. 

  292. 		logger.Log(0, "failed to disable user account: ", err.Error())
    293. 

  293. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    294. 

  294. 	}
    295. 

  295. 

  296. 	logic.ReturnSuccessResponse(w, r, "user account disabled")
    297. 

  297. }
    298. 

  298. 

  299. // swagger:route GET /api/v1/users user getUserV1
    300. 

  300. //
    301. 

  301. // Get an individual user with role info.
    302. 

  302. //
    303. 

  303. //			Schemes: https
    304. 

  304. //
    305. 

  305. //			Security:
    306. 

  306. //	  		oauth
    307. 

  307. //
    308. 

  308. //			Responses:
    309. 

  309. //				200: ReturnUserWithRolesAndGroups
    310. 

  310. func getUserV1(w http.ResponseWriter, r *http.Request) {
    311. 

  311. 	// set header.
    312. 

  312. 	w.Header().Set("Content-Type", "application/json")
    313. 

  313. 	usernameFetched := r.URL.Query().Get("username")
    314. 

  314. 	if usernameFetched == "" {
    315. 

  315. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("username is required"), "badrequest"))
    316. 

  316. 		return
    317. 

  317. 	}
    318. 

  318. 	user, err := logic.GetReturnUser(usernameFetched)
    319. 

  319. 	if err != nil {
    320. 

  320. 		logger.Log(0, usernameFetched, "failed to fetch user: ", err.Error())
    321. 

  321. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    322. 

  322. 		return
    323. 

  323. 	}
    324. 

  324. 	userRoleTemplate, err := logic.GetRole(user.PlatformRoleID)
    325. 

  325. 	if err != nil {
    326. 

  326. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    327. 

  327. 		return
    328. 

  328. 	}
    329. 

  329. 	resp := models.ReturnUserWithRolesAndGroups{
    330. 

  330. 		ReturnUser:   user,
    331. 

  331. 		PlatformRole: userRoleTemplate,
    332. 

  332. 		UserGroups:   map[models.UserGroupID]models.UserGroup{},
    333. 

  333. 	}
    334. 

  334. 	for gId := range user.UserGroups {
    335. 

  335. 		grp, err := logic.GetUserGroup(gId)
    336. 

  336. 		if err != nil {
    337. 

  337. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    338. 

  338. 			return
    339. 

  339. 		}
    340. 

  340. 		resp.UserGroups[gId] = grp
    341. 

  341. 	}
    342. 

  342. 	logger.Log(2, r.Header.Get("user"), "fetched user", usernameFetched)
    343. 

  343. 	logic.ReturnSuccessResponseWithJson(w, r, resp, "fetched user with role info")
    344. 

  344. }
    345. 

  345. 

  346. // swagger:route GET /api/users user getUsers
    347. 

  347. //
    348. 

  348. // Get all users.
    349. 

  349. //
    350. 

  350. //			Schemes: https
    351. 

  351. //
    352. 

  352. //			Security:
    353. 

  353. //	  		oauth
    354. 

  354. //
    355. 

  355. //			Responses:
    356. 

  356. //				200: userBodyResponse
    357. 

  357. func getUsers(w http.ResponseWriter, r *http.Request) {
    358. 

  358. 	// set header.
    359. 

  359. 	w.Header().Set("Content-Type", "application/json")
    360. 

  360. 

  361. 	users, err := logic.GetUsers()
    362. 

  362. 

  363. 	if err != nil {
    364. 

  364. 		logger.Log(0, "failed to fetch users: ", err.Error())
    365. 

  365. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    366. 

  366. 		return
    367. 

  367. 	}
    368. 

  368. 

  369. 	logic.SortUsers(users[:])
    370. 

  370. 	logger.Log(2, r.Header.Get("user"), "fetched users")
    371. 

  371. 	json.NewEncoder(w).Encode(users)
    372. 

  372. }
    373. 

  373. 

  374. // @Summary     Create a super admin
    375. 

  375. // @Router      /api/users/adm/createsuperadmin [post]
    376. 

  376. // @Tags        Users
    377. 

  377. // @Param       body body models.User true "User details"
    378. 

  378. // @Success     200 {object} models.User
    379. 

  379. // @Failure     400 {object} models.ErrorResponse
    380. 

  380. // @Failure     500 {object} models.ErrorResponse
    381. 

  381. func createSuperAdmin(w http.ResponseWriter, r *http.Request) {
    382. 

  382. 	w.Header().Set("Content-Type", "application/json")
    383. 

  383. 

  384. 	var u models.User
    385. 

  385. 

  386. 	err := json.NewDecoder(r.Body).Decode(&u)
    387. 

  387. 	if err != nil {
    388. 

  388. 		slog.Error("error decoding request body", "error", err.Error())
    389. 

  389. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    390. 

  390. 		return
    391. 

  391. 	}
    392. 

  392. 

  393. 	if !logic.IsBasicAuthEnabled() {
    394. 

  394. 		logic.ReturnErrorResponse(
    395. 

  395. 			w,
    396. 

  396. 			r,
    397. 

  397. 			logic.FormatError(fmt.Errorf("basic auth is disabled"), "badrequest"),
    398. 

  398. 		)
    399. 

  399. 		return
    400. 

  400. 	}
    401. 

  401. 

  402. 	err = logic.CreateSuperAdmin(&u)
    403. 

  403. 	if err != nil {
    404. 

  404. 		slog.Error("failed to create admin", "error", err.Error())
    405. 

  405. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    406. 

  406. 		return
    407. 

  407. 	}
    408. 

  408. 	logger.Log(1, u.UserName, "was made a super admin")
    409. 

  409. 	json.NewEncoder(w).Encode(logic.ToReturnUser(u))
    410. 

  410. }
    411. 

  411. 

  412. // @Summary     Transfer super admin role to another admin user
    413. 

  413. // @Router      /api/users/adm/transfersuperadmin/{username} [post]
    414. 

  414. // @Tags        Users
    415. 

  415. // @Param       username path string true "Username of the user to transfer super admin role"
    416. 

  416. // @Success     200 {object} models.User
    417. 

  417. // @Failure     403 {object} models.ErrorResponse
    418. 

  418. // @Failure     500 {object} models.ErrorResponse
    419. 

  419. func transferSuperAdmin(w http.ResponseWriter, r *http.Request) {
    420. 

  420. 	w.Header().Set("Content-Type", "application/json")
    421. 

  421. 	caller, err := logic.GetUser(r.Header.Get("user"))
    422. 

  422. 	if err != nil {
    423. 

  423. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    424. 

  424. 	}
    425. 

  425. 	if caller.PlatformRoleID != models.SuperAdminRole {
    426. 

  426. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("only superadmin can assign the superadmin role to another user"), "forbidden"))
    427. 

  427. 		return
    428. 

  428. 	}
    429. 

  429. 	var params = mux.Vars(r)
    430. 

  430. 	username := params["username"]
    431. 

  431. 	u, err := logic.GetUser(username)
    432. 

  432. 	if err != nil {
    433. 

  433. 		slog.Error("error getting user", "user", u.UserName, "error", err.Error())
    434. 

  434. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    435. 

  435. 		return
    436. 

  436. 	}
    437. 

  437. 	if u.PlatformRoleID != models.AdminRole {
    438. 

  438. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("only admins can be promoted to superadmin role"), "forbidden"))
    439. 

  439. 		return
    440. 

  440. 	}
    441. 

  441. 	if !logic.IsBasicAuthEnabled() {
    442. 

  442. 		logic.ReturnErrorResponse(
    443. 

  443. 			w,
    444. 

  444. 			r,
    445. 

  445. 			logic.FormatError(fmt.Errorf("basic auth is disabled"), "badrequest"),
    446. 

  446. 		)
    447. 

  447. 		return
    448. 

  448. 	}
    449. 

  449. 

  450. 	u.PlatformRoleID = models.SuperAdminRole
    451. 

  451. 	err = logic.UpsertUser(*u)
    452. 

  452. 	if err != nil {
    453. 

  453. 		slog.Error("error updating user to superadmin: ", "user", u.UserName, "error", err.Error())
    454. 

  454. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    455. 

  455. 		return
    456. 

  456. 	}
    457. 

  457. 	caller.PlatformRoleID = models.AdminRole
    458. 

  458. 	err = logic.UpsertUser(*caller)
    459. 

  459. 	if err != nil {
    460. 

  460. 		slog.Error("error demoting user to admin: ", "user", caller.UserName, "error", err.Error())
    461. 

  461. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    462. 

  462. 		return
    463. 

  463. 	}
    464. 

  464. 	slog.Info("user was made a super admin", "user", u.UserName)
    465. 

  465. 	json.NewEncoder(w).Encode(logic.ToReturnUser(*u))
    466. 

  466. }
    467. 

  467. 

  468. // @Summary     Create a user
    469. 

  469. // @Router      /api/users/{username} [post]
    470. 

  470. // @Tags        Users
    471. 

  471. // @Param       username path string true "Username of the user to create"
    472. 

  472. // @Param       body body models.User true "User details"
    473. 

  473. // @Success     200 {object} models.User
    474. 

  474. // @Failure     400 {object} models.ErrorResponse
    475. 

  475. // @Failure     403 {object} models.ErrorResponse
    476. 

  476. // @Failure     500 {object} models.ErrorResponse
    477. 

  477. func createUser(w http.ResponseWriter, r *http.Request) {
    478. 

  478. 	w.Header().Set("Content-Type", "application/json")
    479. 

  479. 	caller, err := logic.GetUser(r.Header.Get("user"))
    480. 

  480. 	if err != nil {
    481. 

  481. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    482. 

  482. 		return
    483. 

  483. 	}
    484. 

  484. 	var user models.User
    485. 

  485. 	err = json.NewDecoder(r.Body).Decode(&user)
    486. 

  486. 	if err != nil {
    487. 

  487. 		logger.Log(0, user.UserName, "error decoding request body: ",
    488. 

  488. 			err.Error())
    489. 

  489. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    490. 

  490. 		return
    491. 

  491. 	}
    492. 

  492. 	if !servercfg.IsPro {
    493. 

  493. 		user.PlatformRoleID = models.AdminRole
    494. 

  494. 	}
    495. 

  495. 

  496. 	if user.PlatformRoleID == "" {
    497. 

  497. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("platform role is missing"), "badrequest"))
    498. 

  498. 		return
    499. 

  499. 	}
    500. 

  500. 	userRole, err := logic.GetRole(user.PlatformRoleID)
    501. 

  501. 	if err != nil {
    502. 

  502. 		err = errors.New("error fetching role " + user.PlatformRoleID.String() + " " + err.Error())
    503. 

  503. 		slog.Error("error creating new user: ", "user", user.UserName, "error", err)
    504. 

  504. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    505. 

  505. 		return
    506. 

  506. 	}
    507. 

  507. 	if userRole.ID == models.SuperAdminRole {
    508. 

  508. 		err = errors.New("additional superadmins cannot be created")
    509. 

  509. 		slog.Error("error creating new user: ", "user", user.UserName, "error", err)
    510. 

  510. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    511. 

  511. 		return
    512. 

  512. 	}
    513. 

  513. 

  514. 	if caller.PlatformRoleID != models.SuperAdminRole && user.PlatformRoleID == models.AdminRole {
    515. 

  515. 		err = errors.New("only superadmin can create admin users")
    516. 

  516. 		slog.Error("error creating new user: ", "user", user.UserName, "error", err)
    517. 

  517. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    518. 

  518. 		return
    519. 

  519. 	}
    520. 

  520. 

  521. 	if !servercfg.IsPro && user.PlatformRoleID != models.AdminRole {
    522. 

  522. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("non-admins users can only be created on Pro version"), "forbidden"))
    523. 

  523. 		return
    524. 

  524. 	}
    525. 

  525. 

  526. 	err = logic.CreateUser(&user)
    527. 

  527. 	if err != nil {
    528. 

  528. 		slog.Error("error creating new user: ", "user", user.UserName, "error", err.Error())
    529. 

  529. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    530. 

  530. 		return
    531. 

  531. 	}
    532. 

  532. 	logic.DeleteUserInvite(user.UserName)
    533. 

  533. 	logic.DeletePendingUser(user.UserName)
    534. 

  534. 	go mq.PublishPeerUpdate(false)
    535. 

  535. 	slog.Info("user was created", "username", user.UserName)
    536. 

  536. 	json.NewEncoder(w).Encode(logic.ToReturnUser(user))
    537. 

  537. }
    538. 

  538. 

  539. // @Summary     Update a user
    540. 

  540. // @Router      /api/users/{username} [put]
    541. 

  541. // @Tags        Users
    542. 

  542. // @Param       username path string true "Username of the user to update"
    543. 

  543. // @Param       body body models.User true "User details"
    544. 

  544. // @Success     200 {object} models.User
    545. 

  545. // @Failure     400 {object} models.ErrorResponse
    546. 

  546. // @Failure     403 {object} models.ErrorResponse
    547. 

  547. // @Failure     500 {object} models.ErrorResponse
    548. 

  548. func updateUser(w http.ResponseWriter, r *http.Request) {
    549. 

  549. 	w.Header().Set("Content-Type", "application/json")
    550. 

  550. 	var params = mux.Vars(r)
    551. 

  551. 	// start here
    552. 

  552. 	var caller *models.User
    553. 

  553. 	var err error
    554. 

  554. 	var ismaster bool
    555. 

  555. 	if r.Header.Get("user") == logic.MasterUser {
    556. 

  556. 		ismaster = true
    557. 

  557. 	} else {
    558. 

  558. 		caller, err = logic.GetUser(r.Header.Get("user"))
    559. 

  559. 		if err != nil {
    560. 

  560. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    561. 

  561. 		}
    562. 

  562. 	}
    563. 

  563. 

  564. 	username := params["username"]
    565. 

  565. 	user, err := logic.GetUser(username)
    566. 

  566. 	if err != nil {
    567. 

  567. 		logger.Log(0, username,
    568. 

  568. 			"failed to update user info: ", err.Error())
    569. 

  569. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    570. 

  570. 		return
    571. 

  571. 	}
    572. 

  572. 	var userchange models.User
    573. 

  573. 	// we decode our body request params
    574. 

  574. 	err = json.NewDecoder(r.Body).Decode(&userchange)
    575. 

  575. 	if err != nil {
    576. 

  576. 		slog.Error("failed to decode body", "error ", err.Error())
    577. 

  577. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    578. 

  578. 		return
    579. 

  579. 	}
    580. 

  580. 	if user.UserName != userchange.UserName {
    581. 

  581. 		logic.ReturnErrorResponse(
    582. 

  582. 			w,
    583. 

  583. 			r,
    584. 

  584. 			logic.FormatError(
    585. 

  585. 				errors.New("user in param and request body not matching"),
    586. 

  586. 				"badrequest",
    587. 

  587. 			),
    588. 

  588. 		)
    589. 

  589. 		return
    590. 

  590. 	}
    591. 

  591. 	selfUpdate := false
    592. 

  592. 	if !ismaster && caller.UserName == user.UserName {
    593. 

  593. 		selfUpdate = true
    594. 

  594. 	}
    595. 

  595. 

  596. 	if !ismaster && !selfUpdate {
    597. 

  597. 		if caller.PlatformRoleID == models.AdminRole && user.PlatformRoleID == models.SuperAdminRole {
    598. 

  598. 			slog.Error("non-superadmin user", "caller", caller.UserName, "attempted to update superadmin user", username)
    599. 

  599. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot update superadmin user"), "forbidden"))
    600. 

  600. 			return
    601. 

  601. 		}
    602. 

  602. 		if caller.PlatformRoleID != models.AdminRole && caller.PlatformRoleID != models.SuperAdminRole {
    603. 

  603. 			slog.Error("operation not allowed", "caller", caller.UserName, "attempted to update user", username)
    604. 

  604. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot update superadmin user"), "forbidden"))
    605. 

  605. 			return
    606. 

  606. 		}
    607. 

  607. 		if caller.PlatformRoleID == models.AdminRole && user.PlatformRoleID == models.AdminRole {
    608. 

  608. 			slog.Error("an admin user does not have permissions to update another admin user", "caller", caller.UserName, "attempted to update admin user", username)
    609. 

  609. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("an admin user does not have permissions to update another admin user"), "forbidden"))
    610. 

  610. 			return
    611. 

  611. 		}
    612. 

  612. 		if caller.PlatformRoleID == models.AdminRole && userchange.PlatformRoleID == models.AdminRole {
    613. 

  613. 			err = errors.New("an admin user does not have permissions to assign the admin role to another user")
    614. 

  614. 			slog.Error(
    615. 

  615. 				"failed to update user",
    616. 

  616. 				"caller",
    617. 

  617. 				caller.UserName,
    618. 

  618. 				"attempted to update user",
    619. 

  619. 				username,
    620. 

  620. 				"error",
    621. 

  621. 				err,
    622. 

  622. 			)
    623. 

  623. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    624. 

  624. 			return
    625. 

  625. 		}
    626. 

  626. 

  627. 	}
    628. 

  628. 	if !ismaster && selfUpdate {
    629. 

  629. 		if user.PlatformRoleID != userchange.PlatformRoleID {
    630. 

  630. 			slog.Error("user cannot change his own role", "caller", caller.UserName, "attempted to update user role", username)
    631. 

  631. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("user not allowed to self assign role"), "forbidden"))
    632. 

  632. 			return
    633. 

  633. 

  634. 		}
    635. 

  635. 		if servercfg.IsPro {
    636. 

  636. 			// user cannot update his own roles and groups
    637. 

  637. 			if len(user.NetworkRoles) != len(userchange.NetworkRoles) || !reflect.DeepEqual(user.NetworkRoles, userchange.NetworkRoles) {
    638. 

  638. 				err = errors.New("user cannot update self update their network roles")
    639. 

  639. 				slog.Error("failed to update user", "caller", caller.UserName, "attempted to update user", username, "error", err)
    640. 

  640. 				logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    641. 

  641. 				return
    642. 

  642. 			}
    643. 

  643. 			// user cannot update his own roles and groups
    644. 

  644. 			if len(user.UserGroups) != len(userchange.UserGroups) || !reflect.DeepEqual(user.UserGroups, userchange.UserGroups) {
    645. 

  645. 				err = errors.New("user cannot update self update their groups")
    646. 

  646. 				slog.Error("failed to update user", "caller", caller.UserName, "attempted to update user", username, "error", err)
    647. 

  647. 				logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    648. 

  648. 				return
    649. 

  649. 			}
    650. 

  650. 		}
    651. 

  651. 

  652. 	}
    653. 

  653. 	if ismaster {
    654. 

  654. 		if user.PlatformRoleID != models.SuperAdminRole && userchange.PlatformRoleID == models.SuperAdminRole {
    655. 

  655. 			slog.Error("operation not allowed", "caller", logic.MasterUser, "attempted to update user role to superadmin", username)
    656. 

  656. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("attempted to update user role to superadmin"), "forbidden"))
    657. 

  657. 			return
    658. 

  658. 		}
    659. 

  659. 	}
    660. 

  660. 

  661. 	if logic.IsOauthUser(user) == nil && userchange.Password != "" {
    662. 

  662. 		err := fmt.Errorf("cannot update user's password for an oauth user %s", username)
    663. 

  663. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
    664. 

  664. 		return
    665. 

  665. 	}
    666. 

  666. 

  667. 	user, err = logic.UpdateUser(&userchange, user)
    668. 

  668. 	if err != nil {
    669. 

  669. 		logger.Log(0, username,
    670. 

  670. 			"failed to update user info: ", err.Error())
    671. 

  671. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    672. 

  672. 		return
    673. 

  673. 	}
    674. 

  674. 	go mq.PublishPeerUpdate(false)
    675. 

  675. 	logger.Log(1, username, "was updated")
    676. 

  676. 	json.NewEncoder(w).Encode(logic.ToReturnUser(*user))
    677. 

  677. }
    678. 

  678. 

  679. // @Summary     Delete a user
    680. 

  680. // @Router      /api/users/{username} [delete]
    681. 

  681. // @Tags        Users
    682. 

  682. // @Param       username path string true "Username of the user to delete"
    683. 

  683. // @Success     200 {string} string
    684. 

  684. // @Failure     500 {object} models.ErrorResponse
    685. 

  685. func deleteUser(w http.ResponseWriter, r *http.Request) {
    686. 

  686. 	// Set header
    687. 

  687. 	w.Header().Set("Content-Type", "application/json")
    688. 

  688. 

  689. 	// get params
    690. 

  690. 	var params = mux.Vars(r)
    691. 

  691. 	caller, err := logic.GetUser(r.Header.Get("user"))
    692. 

  692. 	if err != nil {
    693. 

  693. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    694. 

  694. 	}
    695. 

  695. 	callerUserRole, err := logic.GetRole(caller.PlatformRoleID)
    696. 

  696. 	if err != nil {
    697. 

  697. 		slog.Error("failed to get role ", "role", callerUserRole.ID, "error", err)
    698. 

  698. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    699. 

  699. 		return
    700. 

  700. 	}
    701. 

  701. 	username := params["username"]
    702. 

  702. 	user, err := logic.GetUser(username)
    703. 

  703. 	if err != nil {
    704. 

  704. 		logger.Log(0, username,
    705. 

  705. 			"failed to update user info: ", err.Error())
    706. 

  706. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    707. 

  707. 		return
    708. 

  708. 	}
    709. 

  709. 	userRole, err := logic.GetRole(user.PlatformRoleID)
    710. 

  710. 	if err != nil {
    711. 

  711. 		slog.Error("failed to get role ", "role", userRole.ID, "error", err)
    712. 

  712. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    713. 

  713. 		return
    714. 

  714. 	}
    715. 

  715. 	if userRole.ID == models.SuperAdminRole {
    716. 

  716. 		slog.Error(
    717. 

  717. 			"failed to delete user: ", "user", username, "error", "superadmin cannot be deleted")
    718. 

  718. 		logic.ReturnErrorResponse(
    719. 

  719. 			w,
    720. 

  720. 			r,
    721. 

  721. 			logic.FormatError(fmt.Errorf("superadmin cannot be deleted"), "internal"),
    722. 

  722. 		)
    723. 

  723. 		return
    724. 

  724. 	}
    725. 

  725. 	if callerUserRole.ID != models.SuperAdminRole {
    726. 

  726. 		if callerUserRole.ID == models.AdminRole && userRole.ID == models.AdminRole {
    727. 

  727. 			slog.Error(
    728. 

  728. 				"failed to delete user: ",
    729. 

  729. 				"user",
    730. 

  730. 				username,
    731. 

  731. 				"error",
    732. 

  732. 				"admin cannot delete another admin user, including oneself",
    733. 

  733. 			)
    734. 

  734. 			logic.ReturnErrorResponse(
    735. 

  735. 				w,
    736. 

  736. 				r,
    737. 

  737. 				logic.FormatError(
    738. 

  738. 					fmt.Errorf("admin cannot delete another admin user, including oneself"),
    739. 

  739. 					"internal",
    740. 

  740. 				),
    741. 

  741. 			)
    742. 

  742. 			return
    743. 

  743. 		}
    744. 

  744. 	}
    745. 

  745. 	err = logic.DeleteUser(username)
    746. 

  746. 	if err != nil {
    747. 

  747. 		logger.Log(0, username,
    748. 

  748. 			"failed to delete user: ", err.Error())
    749. 

  749. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    750. 

  750. 		return
    751. 

  751. 	}
    752. 

  752. 	// check and delete extclient with this ownerID
    753. 

  753. 	go func() {
    754. 

  754. 		extclients, err := logic.GetAllExtClients()
    755. 

  755. 		if err != nil {
    756. 

  756. 			slog.Error("failed to get extclients", "error", err)
    757. 

  757. 			return
    758. 

  758. 		}
    759. 

  759. 		for _, extclient := range extclients {
    760. 

  760. 			if extclient.OwnerID == user.UserName {
    761. 

  761. 				err = logic.DeleteExtClientAndCleanup(extclient)
    762. 

  762. 				if err != nil {
    763. 

  763. 					slog.Error("failed to delete extclient",
    764. 

  764. 						"id", extclient.ClientID, "owner", username, "error", err)
    765. 

  765. 				} else {
    766. 

  766. 					if err := mq.PublishDeletedClientPeerUpdate(&extclient); err != nil {
    767. 

  767. 						slog.Error("error setting ext peers: " + err.Error())
    768. 

  768. 					}
    769. 

  769. 				}
    770. 

  770. 			}
    771. 

  771. 		}
    772. 

  772. 		mq.PublishPeerUpdate(false)
    773. 

  773. 		if servercfg.IsDNSMode() {
    774. 

  774. 			logic.SetDNS()
    775. 

  775. 		}
    776. 

  776. 	}()
    777. 

  777. 	logger.Log(1, username, "was deleted")
    778. 

  778. 	json.NewEncoder(w).Encode(params["username"] + " deleted.")
    779. 

  779. }
    780. 

  780. 

  781. // Called when vpn client dials in to start the auth flow and first stage is to get register URL itself
    782. 

  782. func socketHandler(w http.ResponseWriter, r *http.Request) {
    783. 

  783. 	// Upgrade our raw HTTP connection to a websocket based one
    784. 

  784. 	conn, err := upgrader.Upgrade(w, r, nil)
    785. 

  785. 	if err != nil {
    786. 

  786. 		logger.Log(0, "error during connection upgrade for node sign-in:", err.Error())
    787. 

  787. 		return
    788. 

  788. 	}
    789. 

  789. 	if conn == nil {
    790. 

  790. 		logger.Log(0, "failed to establish web-socket connection during node sign-in")
    791. 

  791. 		return
    792. 

  792. 	}
    793. 

  793. 	// Start handling the session
    794. 

  794. 	go auth.SessionHandler(conn)
    795. 

  795. }
    796. 

  796. 

  797. // @Summary     lists all user roles.
    798. 

  798. // @Router      /api/v1/user/roles [get]
    799. 

  799. // @Tags        Users
    800. 

  800. // @Param       role_id query string true "roleid required to get the role details"
    801. 

  801. // @Success     200 {object}  []models.UserRolePermissionTemplate
    802. 

  802. // @Failure     500 {object} models.ErrorResponse
    803. 

  803. func listRoles(w http.ResponseWriter, r *http.Request) {
    804. 

  804. 	var roles []models.UserRolePermissionTemplate
    805. 

  805. 	var err error
    806. 

  806. 	roles, err = logic.ListPlatformRoles()
    807. 

  807. 	if err != nil {
    808. 

  808. 		logic.ReturnErrorResponse(w, r, models.ErrorResponse{
    809. 

  809. 			Code:    http.StatusInternalServerError,
    810. 

  810. 			Message: err.Error(),
    811. 

  811. 		})
    812. 

  812. 		return
    813. 

  813. 	}
    814. 

  814. 

  815. 	logic.ReturnSuccessResponseWithJson(w, r, roles, "successfully fetched user roles permission templates")
    816. 

  816. }
    817.