Home Explore Help
Sign In
golang
/
netmaker
mirror of https://github.com/gravitl/netmaker
2
0
Fork 0
Files Issues 0 Wiki
Tree: v1.2.0
Branches Tags
netmaker
/
pro
/
controllers
/
users.go

users.go 64 KB
Permalink History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047 
  1. package controllers
    2. 

  2. 

  3. import (
    4. 

  4. 	"context"
    5. 

  5. 	"encoding/json"
    6. 

  6. 	"errors"
    7. 

  7. 	"fmt"
    8. 

  8. 	"net/http"
    9. 

  9. 	"net/url"
    10. 

  10. 	"strings"
    11. 

  11. 	"time"
    12. 

  12. 

  13. 	"github.com/google/uuid"
    14. 

  14. 	"github.com/gorilla/mux"
    15. 

  15. 	"github.com/gravitl/netmaker/database"
    16. 

  16. 	"github.com/gravitl/netmaker/logger"
    17. 

  17. 	"github.com/gravitl/netmaker/logic"
    18. 

  18. 	"github.com/gravitl/netmaker/models"
    19. 

  19. 	"github.com/gravitl/netmaker/mq"
    20. 

  20. 	proAuth "github.com/gravitl/netmaker/pro/auth"
    21. 

  21. 	"github.com/gravitl/netmaker/pro/email"
    22. 

  22. 	"github.com/gravitl/netmaker/pro/idp"
    23. 

  23. 	"github.com/gravitl/netmaker/pro/idp/azure"
    24. 

  24. 	"github.com/gravitl/netmaker/pro/idp/google"
    25. 

  25. 	"github.com/gravitl/netmaker/pro/idp/okta"
    26. 

  26. 	proLogic "github.com/gravitl/netmaker/pro/logic"
    27. 

  27. 	"github.com/gravitl/netmaker/servercfg"
    28. 

  28. 	"github.com/gravitl/netmaker/utils"
    29. 

  29. 	"golang.org/x/exp/slog"
    30. 

  30. )
    31. 

  31. 

  32. func UserHandlers(r *mux.Router) {
    33. 

  33. 

  34. 	r.HandleFunc("/api/oauth/login", proAuth.HandleAuthLogin).Methods(http.MethodGet)
    35. 

  35. 	r.HandleFunc("/api/oauth/callback", proAuth.HandleAuthCallback).Methods(http.MethodGet)
    36. 

  36. 	r.HandleFunc("/api/oauth/headless", proAuth.HandleHeadlessSSO)
    37. 

  37. 	r.HandleFunc("/api/oauth/register/{regKey}", proAuth.RegisterHostSSO).Methods(http.MethodGet)
    38. 

  38. 

  39. 	// User Role Handlers
    40. 

  40. 	r.HandleFunc("/api/v1/users/role", logic.SecurityCheck(true, http.HandlerFunc(getRole))).Methods(http.MethodGet)
    41. 

  41. 	r.HandleFunc("/api/v1/users/role", logic.SecurityCheck(true, http.HandlerFunc(createRole))).Methods(http.MethodPost)
    42. 

  42. 	r.HandleFunc("/api/v1/users/role", logic.SecurityCheck(true, http.HandlerFunc(updateRole))).Methods(http.MethodPut)
    43. 

  43. 	r.HandleFunc("/api/v1/users/role", logic.SecurityCheck(true, http.HandlerFunc(deleteRole))).Methods(http.MethodDelete)
    44. 

  44. 

  45. 	// User Group Handlers
    46. 

  46. 	r.HandleFunc("/api/v1/users/groups", logic.SecurityCheck(true, http.HandlerFunc(listUserGroups))).Methods(http.MethodGet)
    47. 

  47. 	r.HandleFunc("/api/v1/users/group", logic.SecurityCheck(true, http.HandlerFunc(getUserGroup))).Methods(http.MethodGet)
    48. 

  48. 	r.HandleFunc("/api/v1/users/group", logic.SecurityCheck(true, http.HandlerFunc(createUserGroup))).Methods(http.MethodPost)
    49. 

  49. 	r.HandleFunc("/api/v1/users/group", logic.SecurityCheck(true, http.HandlerFunc(updateUserGroup))).Methods(http.MethodPut)
    50. 

  50. 	r.HandleFunc("/api/v1/users/group", logic.SecurityCheck(true, http.HandlerFunc(deleteUserGroup))).Methods(http.MethodDelete)
    51. 

  51. 	r.HandleFunc("/api/v1/users/add_network_user", logic.SecurityCheck(true, http.HandlerFunc(addUsertoNetwork))).Methods(http.MethodPut)
    52. 

  52. 	r.HandleFunc("/api/v1/users/remove_network_user", logic.SecurityCheck(true, http.HandlerFunc(removeUserfromNetwork))).Methods(http.MethodPut)
    53. 

  53. 	r.HandleFunc("/api/v1/users/unassigned_network_users", logic.SecurityCheck(true, http.HandlerFunc(listUnAssignedNetUsers))).Methods(http.MethodGet)
    54. 

  54. 

  55. 	// User Invite Handlers
    56. 

  56. 	r.HandleFunc("/api/v1/users/invite", userInviteVerify).Methods(http.MethodGet)
    57. 

  57. 	r.HandleFunc("/api/v1/users/invite-signup", userInviteSignUp).Methods(http.MethodPost)
    58. 

  58. 	r.HandleFunc("/api/v1/users/invite", logic.SecurityCheck(true, http.HandlerFunc(inviteUsers))).Methods(http.MethodPost)
    59. 

  59. 	r.HandleFunc("/api/v1/users/invites", logic.SecurityCheck(true, http.HandlerFunc(listUserInvites))).Methods(http.MethodGet)
    60. 

  60. 	r.HandleFunc("/api/v1/users/invite", logic.SecurityCheck(true, http.HandlerFunc(deleteUserInvite))).Methods(http.MethodDelete)
    61. 

  61. 	r.HandleFunc("/api/v1/users/invites", logic.SecurityCheck(true, http.HandlerFunc(deleteAllUserInvites))).Methods(http.MethodDelete)
    62. 

  62. 

  63. 	r.HandleFunc("/api/users_pending", logic.SecurityCheck(true, http.HandlerFunc(getPendingUsers))).Methods(http.MethodGet)
    64. 

  64. 	r.HandleFunc("/api/users_pending", logic.SecurityCheck(true, http.HandlerFunc(deleteAllPendingUsers))).Methods(http.MethodDelete)
    65. 

  65. 	r.HandleFunc("/api/users_pending/user/{username}", logic.SecurityCheck(true, http.HandlerFunc(deletePendingUser))).Methods(http.MethodDelete)
    66. 

  66. 	r.HandleFunc("/api/users_pending/user/{username}", logic.SecurityCheck(true, http.HandlerFunc(approvePendingUser))).Methods(http.MethodPost)
    67. 

  67. 

  68. 	r.HandleFunc("/api/users/{username}/remote_access_gw/{remote_access_gateway_id}", logic.SecurityCheck(true, http.HandlerFunc(attachUserToRemoteAccessGw))).Methods(http.MethodPost)
    69. 

  69. 	r.HandleFunc("/api/users/{username}/remote_access_gw/{remote_access_gateway_id}", logic.SecurityCheck(true, http.HandlerFunc(removeUserFromRemoteAccessGW))).Methods(http.MethodDelete)
    70. 

  70. 	r.HandleFunc("/api/users/{username}/remote_access_gw", logic.SecurityCheck(false, logic.ContinueIfUserMatch(http.HandlerFunc(getUserRemoteAccessGwsV1)))).Methods(http.MethodGet)
    71. 

  71. 	r.HandleFunc("/api/users/ingress/{ingress_id}", logic.SecurityCheck(true, http.HandlerFunc(ingressGatewayUsers))).Methods(http.MethodGet)
    72. 

  72. 

  73. 	r.HandleFunc("/api/idp/sync", logic.SecurityCheck(true, http.HandlerFunc(syncIDP))).Methods(http.MethodPost)
    74. 

  74. 	r.HandleFunc("/api/idp/sync/test", logic.SecurityCheck(true, http.HandlerFunc(testIDPSync))).Methods(http.MethodPost)
    75. 

  75. 	r.HandleFunc("/api/idp/sync/status", logic.SecurityCheck(true, http.HandlerFunc(getIDPSyncStatus))).Methods(http.MethodGet)
    76. 

  76. 	r.HandleFunc("/api/idp", logic.SecurityCheck(true, http.HandlerFunc(removeIDPIntegration))).Methods(http.MethodDelete)
    77. 

  77. }
    78. 

  78. 

  79. // swagger:route POST /api/v1/users/invite-signup user userInviteSignUp
    80. 

  80. //
    81. 

  81. // user signup via invite.
    82. 

  82. //
    83. 

  83. //	Schemes: https
    84. 

  84. //
    85. 

  85. //	Responses:
    86. 

  86. //		200: ReturnSuccessResponse
    87. 

  87. func userInviteSignUp(w http.ResponseWriter, r *http.Request) {
    88. 

  88. 	email := r.URL.Query().Get("email")
    89. 

  89. 	code := r.URL.Query().Get("invite_code")
    90. 

  90. 	in, err := logic.GetUserInvite(email)
    91. 

  91. 	if err != nil {
    92. 

  92. 		logger.Log(0, "failed to fetch users: ", err.Error())
    93. 

  93. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    94. 

  94. 		return
    95. 

  95. 	}
    96. 

  96. 	if code != in.InviteCode {
    97. 

  97. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("invalid invite code"), "badrequest"))
    98. 

  98. 		return
    99. 

  99. 	}
    100. 

  100. 	// check if user already exists
    101. 

  101. 	_, err = logic.GetUser(email)
    102. 

  102. 	if err == nil {
    103. 

  103. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("user already exists"), "badrequest"))
    104. 

  104. 		return
    105. 

  105. 	}
    106. 

  106. 	var user models.User
    107. 

  107. 	err = json.NewDecoder(r.Body).Decode(&user)
    108. 

  108. 	if err != nil {
    109. 

  109. 		logger.Log(0, user.UserName, "error decoding request body: ",
    110. 

  110. 			err.Error())
    111. 

  111. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    112. 

  112. 		return
    113. 

  113. 	}
    114. 

  114. 	if user.UserName != email {
    115. 

  115. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("username not matching with invite"), "badrequest"))
    116. 

  116. 		return
    117. 

  117. 	}
    118. 

  118. 	if user.Password == "" {
    119. 

  119. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("password cannot be empty"), "badrequest"))
    120. 

  120. 		return
    121. 

  121. 	}
    122. 

  122. 

  123. 	user.UserGroups = in.UserGroups
    124. 

  124. 	user.PlatformRoleID = models.UserRoleID(in.PlatformRoleID)
    125. 

  125. 	if user.PlatformRoleID == "" {
    126. 

  126. 		user.PlatformRoleID = models.ServiceUser
    127. 

  127. 	}
    128. 

  128. 	user.NetworkRoles = in.NetworkRoles
    129. 

  129. 	err = logic.CreateUser(&user)
    130. 

  130. 	if err != nil {
    131. 

  131. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    132. 

  132. 		return
    133. 

  133. 	}
    134. 

  134. 	// delete invite
    135. 

  135. 	logic.DeleteUserInvite(email)
    136. 

  136. 	logic.DeletePendingUser(email)
    137. 

  137. 	w.Header().Set("Access-Control-Allow-Origin", "*")
    138. 

  138. 	logic.ReturnSuccessResponse(w, r, "created user successfully "+email)
    139. 

  139. }
    140. 

  140. 

  141. // swagger:route GET /api/v1/users/invite user userInviteVerify
    142. 

  142. //
    143. 

  143. // verfies user invite.
    144. 

  144. //
    145. 

  145. //	Schemes: https
    146. 

  146. //
    147. 

  147. //	Responses:
    148. 

  148. //		200: ReturnSuccessResponse
    149. 

  149. func userInviteVerify(w http.ResponseWriter, r *http.Request) {
    150. 

  150. 	email := r.URL.Query().Get("email")
    151. 

  151. 	code := r.URL.Query().Get("invite_code")
    152. 

  152. 	err := logic.ValidateAndApproveUserInvite(email, code)
    153. 

  153. 	if err != nil {
    154. 

  154. 		logger.Log(0, "failed to fetch users: ", err.Error())
    155. 

  155. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    156. 

  156. 		return
    157. 

  157. 	}
    158. 

  158. 	logic.ReturnSuccessResponse(w, r, "invite is valid")
    159. 

  159. }
    160. 

  160. 

  161. // swagger:route POST /api/v1/users/invite user inviteUsers
    162. 

  162. //
    163. 

  163. // invite users.
    164. 

  164. //
    165. 

  165. //			Schemes: https
    166. 

  166. //
    167. 

  167. //			Security:
    168. 

  168. //	  		oauth
    169. 

  169. //
    170. 

  170. //			Responses:
    171. 

  171. //				200: userBodyResponse
    172. 

  172. func inviteUsers(w http.ResponseWriter, r *http.Request) {
    173. 

  173. 	var inviteReq models.InviteUsersReq
    174. 

  174. 	err := json.NewDecoder(r.Body).Decode(&inviteReq)
    175. 

  175. 	if err != nil {
    176. 

  176. 		slog.Error("error decoding request body", "error",
    177. 

  177. 			err.Error())
    178. 

  178. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    179. 

  179. 		return
    180. 

  180. 	}
    181. 

  181. 	callerUserName := r.Header.Get("user")
    182. 

  182. 	if r.Header.Get("ismaster") != "yes" {
    183. 

  183. 		caller, err := logic.GetUser(callerUserName)
    184. 

  184. 		if err != nil {
    185. 

  185. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "notfound"))
    186. 

  186. 			return
    187. 

  187. 		}
    188. 

  188. 		if inviteReq.PlatformRoleID == models.SuperAdminRole.String() {
    189. 

  189. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("super admin cannot be invited"), "badrequest"))
    190. 

  190. 			return
    191. 

  191. 		}
    192. 

  192. 		if inviteReq.PlatformRoleID == "" {
    193. 

  193. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("platform role id cannot be empty"), "badrequest"))
    194. 

  194. 			return
    195. 

  195. 		}
    196. 

  196. 		if (inviteReq.PlatformRoleID == models.AdminRole.String() ||
    197. 

  197. 			inviteReq.PlatformRoleID == models.SuperAdminRole.String()) && caller.PlatformRoleID != models.SuperAdminRole {
    198. 

  198. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("only superadmin can invite admin users"), "forbidden"))
    199. 

  199. 			return
    200. 

  200. 		}
    201. 

  201. 	}
    202. 

  202. 

  203. 	//validate Req
    204. 

  204. 	err = proLogic.IsGroupsValid(inviteReq.UserGroups)
    205. 

  205. 	if err != nil {
    206. 

  206. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    207. 

  207. 		return
    208. 

  208. 	}
    209. 

  209. 	err = proLogic.IsNetworkRolesValid(inviteReq.NetworkRoles)
    210. 

  210. 	if err != nil {
    211. 

  211. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    212. 

  212. 		return
    213. 

  213. 	}
    214. 

  214. 

  215. 	// check platform role
    216. 

  216. 	_, err = logic.GetRole(models.UserRoleID(inviteReq.PlatformRoleID))
    217. 

  217. 	if err != nil {
    218. 

  218. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    219. 

  219. 		return
    220. 

  220. 	}
    221. 

  221. 	for _, inviteeEmail := range inviteReq.UserEmails {
    222. 

  222. 		inviteeEmail = strings.ToLower(inviteeEmail)
    223. 

  223. 		// check if user with email exists, then ignore
    224. 

  224. 		if !email.IsValid(inviteeEmail) {
    225. 

  225. 			logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("invalid email "+inviteeEmail), "badrequest"))
    226. 

  226. 			return
    227. 

  227. 		}
    228. 

  228. 		_, err := logic.GetUser(inviteeEmail)
    229. 

  229. 		if err == nil {
    230. 

  230. 			// user exists already, so ignore
    231. 

  231. 			continue
    232. 

  232. 		}
    233. 

  233. 		invite := models.UserInvite{
    234. 

  234. 			Email:          inviteeEmail,
    235. 

  235. 			PlatformRoleID: inviteReq.PlatformRoleID,
    236. 

  236. 			UserGroups:     inviteReq.UserGroups,
    237. 

  237. 			NetworkRoles:   inviteReq.NetworkRoles,
    238. 

  238. 			InviteCode:     logic.RandomString(8),
    239. 

  239. 		}
    240. 

  240. 		frontendURL := strings.TrimSuffix(servercfg.GetFrontendURL(), "/")
    241. 

  241. 		if frontendURL == "" {
    242. 

  242. 			frontendURL = fmt.Sprintf("https://dashboard.%s", servercfg.GetNmBaseDomain())
    243. 

  243. 		}
    244. 

  244. 		u, err := url.Parse(fmt.Sprintf("%s/invite?email=%s&invite_code=%s",
    245. 

  245. 			frontendURL, url.QueryEscape(invite.Email), url.QueryEscape(invite.InviteCode)))
    246. 

  246. 		if err != nil {
    247. 

  247. 			slog.Error("failed to parse to invite url", "error", err)
    248. 

  248. 			return
    249. 

  249. 		}
    250. 

  250. 		if servercfg.DeployedByOperator() {
    251. 

  251. 			u, err = url.Parse(fmt.Sprintf("%s/invite?tenant_id=%s&email=%s&invite_code=%s",
    252. 

  252. 				proLogic.GetAccountsUIHost(), url.QueryEscape(servercfg.GetNetmakerTenantID()), url.QueryEscape(invite.Email), url.QueryEscape(invite.InviteCode)))
    253. 

  253. 			if err != nil {
    254. 

  254. 				slog.Error("failed to parse to invite url", "error", err)
    255. 

  255. 				return
    256. 

  256. 			}
    257. 

  257. 		}
    258. 

  258. 		invite.InviteURL = u.String()
    259. 

  259. 		err = logic.InsertUserInvite(invite)
    260. 

  260. 		if err != nil {
    261. 

  261. 			slog.Error("failed to insert invite for user", "email", invite.Email, "error", err)
    262. 

  262. 		}
    263. 

  263. 		logic.LogEvent(&models.Event{
    264. 

  264. 			Action: models.Create,
    265. 

  265. 			Source: models.Subject{
    266. 

  266. 				ID:   callerUserName,
    267. 

  267. 				Name: callerUserName,
    268. 

  268. 				Type: models.UserSub,
    269. 

  269. 				Info: invite,
    270. 

  270. 			},
    271. 

  271. 			TriggeredBy: callerUserName,
    272. 

  272. 			Target: models.Subject{
    273. 

  273. 				ID:   inviteeEmail,
    274. 

  274. 				Name: inviteeEmail,
    275. 

  275. 				Type: models.UserInviteSub,
    276. 

  276. 			},
    277. 

  277. 			Origin: models.Dashboard,
    278. 

  278. 		})
    279. 

  279. 		// notify user with magic link
    280. 

  280. 		go func(invite models.UserInvite) {
    281. 

  281. 			// Set E-Mail body. You can set plain text or html with text/html
    282. 

  282. 

  283. 			e := email.UserInvitedMail{
    284. 

  284. 				BodyBuilder:    &email.EmailBodyBuilderWithH1HeadlineAndImage{},
    285. 

  285. 				InviteURL:      invite.InviteURL,
    286. 

  286. 				PlatformRoleID: invite.PlatformRoleID,
    287. 

  287. 			}
    288. 

  288. 			n := email.Notification{
    289. 

  289. 				RecipientMail: invite.Email,
    290. 

  290. 			}
    291. 

  291. 			err = email.GetClient().SendEmail(context.Background(), n, e)
    292. 

  292. 			if err != nil {
    293. 

  293. 				slog.Error("failed to send email invite", "user", invite.Email, "error", err)
    294. 

  294. 			}
    295. 

  295. 		}(invite)
    296. 

  296. 	}
    297. 

  297. 

  298. 	logic.ReturnSuccessResponse(w, r, "triggered user invites")
    299. 

  299. }
    300. 

  300. 

  301. // swagger:route GET /api/v1/users/invites user listUserInvites
    302. 

  302. //
    303. 

  303. // lists all pending invited users.
    304. 

  304. //
    305. 

  305. //			Schemes: https
    306. 

  306. //
    307. 

  307. //			Security:
    308. 

  308. //	  		oauth
    309. 

  309. //
    310. 

  310. //			Responses:
    311. 

  311. //				200: ReturnSuccessResponseWithJson
    312. 

  312. func listUserInvites(w http.ResponseWriter, r *http.Request) {
    313. 

  313. 	usersInvites, err := logic.ListUserInvites()
    314. 

  314. 	if err != nil {
    315. 

  315. 		logger.Log(0, "failed to fetch users: ", err.Error())
    316. 

  316. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    317. 

  317. 		return
    318. 

  318. 	}
    319. 

  319. 	logic.ReturnSuccessResponseWithJson(w, r, usersInvites, "fetched pending user invites")
    320. 

  320. }
    321. 

  321. 

  322. // swagger:route DELETE /api/v1/users/invite user deleteUserInvite
    323. 

  323. //
    324. 

  324. // delete pending invite.
    325. 

  325. //
    326. 

  326. //			Schemes: https
    327. 

  327. //
    328. 

  328. //			Security:
    329. 

  329. //	  		oauth
    330. 

  330. //
    331. 

  331. //			Responses:
    332. 

  332. //				200: ReturnSuccessResponse
    333. 

  333. func deleteUserInvite(w http.ResponseWriter, r *http.Request) {
    334. 

  334. 	email := r.URL.Query().Get("invitee_email")
    335. 

  335. 	err := logic.DeleteUserInvite(email)
    336. 

  336. 	if err != nil {
    337. 

  337. 		logger.Log(0, "failed to delete user invite: ", email, err.Error())
    338. 

  338. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    339. 

  339. 		return
    340. 

  340. 	}
    341. 

  341. 	logic.LogEvent(&models.Event{
    342. 

  342. 		Action: models.Delete,
    343. 

  343. 		Source: models.Subject{
    344. 

  344. 			ID:   r.Header.Get("user"),
    345. 

  345. 			Name: r.Header.Get("user"),
    346. 

  346. 			Type: models.UserSub,
    347. 

  347. 		},
    348. 

  348. 		TriggeredBy: r.Header.Get("user"),
    349. 

  349. 		Target: models.Subject{
    350. 

  350. 			ID:   email,
    351. 

  351. 			Name: email,
    352. 

  352. 			Type: models.UserInviteSub,
    353. 

  353. 		},
    354. 

  354. 		Origin: models.Dashboard,
    355. 

  355. 		Diff: models.Diff{
    356. 

  356. 			Old: models.UserInvite{
    357. 

  357. 				Email: email,
    358. 

  358. 			},
    359. 

  359. 			New: nil,
    360. 

  360. 		},
    361. 

  361. 	})
    362. 

  362. 	logic.ReturnSuccessResponse(w, r, "deleted user invite")
    363. 

  363. }
    364. 

  364. 

  365. // swagger:route DELETE /api/v1/users/invites user deleteAllUserInvites
    366. 

  366. //
    367. 

  367. // deletes all pending invites.
    368. 

  368. //
    369. 

  369. //			Schemes: https
    370. 

  370. //
    371. 

  371. //			Security:
    372. 

  372. //	  		oauth
    373. 

  373. //
    374. 

  374. //			Responses:
    375. 

  375. //				200: ReturnSuccessResponse
    376. 

  376. func deleteAllUserInvites(w http.ResponseWriter, r *http.Request) {
    377. 

  377. 	err := database.DeleteAllRecords(database.USER_INVITES_TABLE_NAME)
    378. 

  378. 	if err != nil {
    379. 

  379. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("failed to delete all pending user invites "+err.Error()), "internal"))
    380. 

  380. 		return
    381. 

  381. 	}
    382. 

  382. 	logic.LogEvent(&models.Event{
    383. 

  383. 		Action: models.DeleteAll,
    384. 

  384. 		Source: models.Subject{
    385. 

  385. 			ID:   r.Header.Get("user"),
    386. 

  386. 			Name: r.Header.Get("user"),
    387. 

  387. 			Type: models.UserSub,
    388. 

  388. 		},
    389. 

  389. 		TriggeredBy: r.Header.Get("user"),
    390. 

  390. 		Target: models.Subject{
    391. 

  391. 			ID:   "All Invites",
    392. 

  392. 			Name: "All Invites",
    393. 

  393. 			Type: models.UserInviteSub,
    394. 

  394. 		},
    395. 

  395. 		Origin: models.Dashboard,
    396. 

  396. 	})
    397. 

  397. 	logic.ReturnSuccessResponse(w, r, "cleared all pending user invites")
    398. 

  398. }
    399. 

  399. 

  400. // swagger:route GET /api/v1/user/groups user listUserGroups
    401. 

  401. //
    402. 

  402. // Get all user groups.
    403. 

  403. //
    404. 

  404. //			Schemes: https
    405. 

  405. //
    406. 

  406. //			Security:
    407. 

  407. //	  		oauth
    408. 

  408. //
    409. 

  409. //			Responses:
    410. 

  410. //				200: userBodyResponse
    411. 

  411. func listUserGroups(w http.ResponseWriter, r *http.Request) {
    412. 

  412. 	groups, err := proLogic.ListUserGroups()
    413. 

  413. 	if err != nil {
    414. 

  414. 		logic.ReturnErrorResponse(w, r, models.ErrorResponse{
    415. 

  415. 			Code:    http.StatusInternalServerError,
    416. 

  416. 			Message: err.Error(),
    417. 

  417. 		})
    418. 

  418. 		return
    419. 

  419. 	}
    420. 

  420. 	logic.ReturnSuccessResponseWithJson(w, r, groups, "successfully fetched user groups")
    421. 

  421. }
    422. 

  422. 

  423. // swagger:route GET /api/v1/user/group user getUserGroup
    424. 

  424. //
    425. 

  425. // Get user group.
    426. 

  426. //
    427. 

  427. //			Schemes: https
    428. 

  428. //
    429. 

  429. //			Security:
    430. 

  430. //	  		oauth
    431. 

  431. //
    432. 

  432. //			Responses:
    433. 

  433. //				200: userBodyResponse
    434. 

  434. func getUserGroup(w http.ResponseWriter, r *http.Request) {
    435. 

  435. 

  436. 	gid := r.URL.Query().Get("group_id")
    437. 

  437. 	if gid == "" {
    438. 

  438. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("group id is required"), "badrequest"))
    439. 

  439. 		return
    440. 

  440. 	}
    441. 

  441. 	group, err := proLogic.GetUserGroup(models.UserGroupID(gid))
    442. 

  442. 	if err != nil {
    443. 

  443. 		logic.ReturnErrorResponse(w, r, models.ErrorResponse{
    444. 

  444. 			Code:    http.StatusInternalServerError,
    445. 

  445. 			Message: err.Error(),
    446. 

  446. 		})
    447. 

  447. 		return
    448. 

  448. 	}
    449. 

  449. 	logic.ReturnSuccessResponseWithJson(w, r, group, "successfully fetched user group")
    450. 

  450. }
    451. 

  451. 

  452. // swagger:route POST /api/v1/user/group user createUserGroup
    453. 

  453. //
    454. 

  454. // Create user groups.
    455. 

  455. //
    456. 

  456. //			Schemes: https
    457. 

  457. //
    458. 

  458. //			Security:
    459. 

  459. //	  		oauth
    460. 

  460. //
    461. 

  461. //			Responses:
    462. 

  462. //				200: userBodyResponse
    463. 

  463. func createUserGroup(w http.ResponseWriter, r *http.Request) {
    464. 

  464. 	var userGroupReq models.CreateGroupReq
    465. 

  465. 	err := json.NewDecoder(r.Body).Decode(&userGroupReq)
    466. 

  466. 	if err != nil {
    467. 

  467. 		slog.Error("error decoding request body", "error",
    468. 

  468. 			err.Error())
    469. 

  469. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    470. 

  470. 		return
    471. 

  471. 	}
    472. 

  472. 	err = proLogic.ValidateCreateGroupReq(userGroupReq.Group)
    473. 

  473. 	if err != nil {
    474. 

  474. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    475. 

  475. 		return
    476. 

  476. 	}
    477. 

  477. 	err = proLogic.CreateUserGroup(&userGroupReq.Group)
    478. 

  478. 	if err != nil {
    479. 

  479. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    480. 

  480. 		return
    481. 

  481. 	}
    482. 

  482. 

  483. 	for _, userID := range userGroupReq.Members {
    484. 

  484. 		user, err := logic.GetUser(userID)
    485. 

  485. 		if err != nil {
    486. 

  486. 			continue
    487. 

  487. 		}
    488. 

  488. 		if len(user.UserGroups) == 0 {
    489. 

  489. 			user.UserGroups = make(map[models.UserGroupID]struct{})
    490. 

  490. 		}
    491. 

  491. 		user.UserGroups[userGroupReq.Group.ID] = struct{}{}
    492. 

  492. 		logic.UpsertUser(*user)
    493. 

  493. 	}
    494. 

  494. 	logic.LogEvent(&models.Event{
    495. 

  495. 		Action: models.Create,
    496. 

  496. 		Source: models.Subject{
    497. 

  497. 			ID:   r.Header.Get("user"),
    498. 

  498. 			Name: r.Header.Get("user"),
    499. 

  499. 			Type: models.UserSub,
    500. 

  500. 		},
    501. 

  501. 		TriggeredBy: r.Header.Get("user"),
    502. 

  502. 		Target: models.Subject{
    503. 

  503. 			ID:   userGroupReq.Group.ID.String(),
    504. 

  504. 			Name: userGroupReq.Group.Name,
    505. 

  505. 			Type: models.UserGroupSub,
    506. 

  506. 		},
    507. 

  507. 		Origin: models.Dashboard,
    508. 

  508. 	})
    509. 

  509. 	go mq.PublishPeerUpdate(false)
    510. 

  510. 	logic.ReturnSuccessResponseWithJson(w, r, userGroupReq.Group, "created user group")
    511. 

  511. }
    512. 

  512. 

  513. // swagger:route PUT /api/v1/user/group user updateUserGroup
    514. 

  514. //
    515. 

  515. // Update user group.
    516. 

  516. //
    517. 

  517. //			Schemes: https
    518. 

  518. //
    519. 

  519. //			Security:
    520. 

  520. //	  		oauth
    521. 

  521. //
    522. 

  522. //			Responses:
    523. 

  523. //				200: userBodyResponse
    524. 

  524. func updateUserGroup(w http.ResponseWriter, r *http.Request) {
    525. 

  525. 	var userGroup models.UserGroup
    526. 

  526. 	err := json.NewDecoder(r.Body).Decode(&userGroup)
    527. 

  527. 	if err != nil {
    528. 

  528. 		slog.Error("error decoding request body", "error",
    529. 

  529. 			err.Error())
    530. 

  530. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    531. 

  531. 		return
    532. 

  532. 	}
    533. 

  533. 	// fetch curr group
    534. 

  534. 	currUserG, err := proLogic.GetUserGroup(userGroup.ID)
    535. 

  535. 	if err != nil {
    536. 

  536. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    537. 

  537. 		return
    538. 

  538. 	}
    539. 

  539. 	if currUserG.Default {
    540. 

  540. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot update default user group"), "badrequest"))
    541. 

  541. 		return
    542. 

  542. 	}
    543. 

  543. 	err = proLogic.ValidateUpdateGroupReq(userGroup)
    544. 

  544. 	if err != nil {
    545. 

  545. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    546. 

  546. 		return
    547. 

  547. 	}
    548. 

  548. 

  549. 	userGroup.ExternalIdentityProviderID = currUserG.ExternalIdentityProviderID
    550. 

  550. 

  551. 	err = proLogic.UpdateUserGroup(userGroup)
    552. 

  552. 	if err != nil {
    553. 

  553. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    554. 

  554. 		return
    555. 

  555. 	}
    556. 

  556. 	logic.LogEvent(&models.Event{
    557. 

  557. 		Action: models.Update,
    558. 

  558. 		Source: models.Subject{
    559. 

  559. 			ID:   r.Header.Get("user"),
    560. 

  560. 			Name: r.Header.Get("user"),
    561. 

  561. 			Type: models.UserSub,
    562. 

  562. 		},
    563. 

  563. 		TriggeredBy: r.Header.Get("user"),
    564. 

  564. 		Target: models.Subject{
    565. 

  565. 			ID:   userGroup.ID.String(),
    566. 

  566. 			Name: userGroup.Name,
    567. 

  567. 			Type: models.UserGroupSub,
    568. 

  568. 		},
    569. 

  569. 		Diff: models.Diff{
    570. 

  570. 			Old: currUserG,
    571. 

  571. 			New: userGroup,
    572. 

  572. 		},
    573. 

  573. 		Origin: models.Dashboard,
    574. 

  574. 	})
    575. 

  575. 	replacePeers := false
    576. 

  576. 	go func() {
    577. 

  577. 		networksAdded := make([]models.NetworkID, 0)
    578. 

  578. 		networksRemoved := make([]models.NetworkID, 0)
    579. 

  579. 

  580. 		for networkID := range userGroup.NetworkRoles {
    581. 

  581. 			if _, ok := currUserG.NetworkRoles[networkID]; !ok {
    582. 

  582. 				networksAdded = append(networksAdded, networkID)
    583. 

  583. 			}
    584. 

  584. 		}
    585. 

  585. 

  586. 		for networkID := range currUserG.NetworkRoles {
    587. 

  587. 			if _, ok := userGroup.NetworkRoles[networkID]; !ok {
    588. 

  588. 				networksRemoved = append(networksRemoved, networkID)
    589. 

  589. 			}
    590. 

  590. 		}
    591. 

  591. 

  592. 		for _, networkID := range networksAdded {
    593. 

  593. 			// ensure the network exists.
    594. 

  594. 			network, err := logic.GetNetwork(networkID.String())
    595. 

  595. 			if err != nil {
    596. 

  596. 				continue
    597. 

  597. 			}
    598. 

  598. 

  599. 			// insert acl if the network is added to the group.
    600. 

  600. 			acl := models.Acl{
    601. 

  601. 				ID:          uuid.New().String(),
    602. 

  602. 				Name:        fmt.Sprintf("%s group", userGroup.Name),
    603. 

  603. 				MetaData:    "This Policy allows user group to communicate with all gateways",
    604. 

  604. 				Default:     false,
    605. 

  605. 				ServiceType: models.Any,
    606. 

  606. 				NetworkID:   models.NetworkID(network.NetID),
    607. 

  607. 				Proto:       models.ALL,
    608. 

  608. 				RuleType:    models.UserPolicy,
    609. 

  609. 				Src: []models.AclPolicyTag{
    610. 

  610. 					{
    611. 

  611. 						ID:    models.UserGroupAclID,
    612. 

  612. 						Value: userGroup.ID.String(),
    613. 

  613. 					},
    614. 

  614. 				},
    615. 

  615. 				Dst: []models.AclPolicyTag{
    616. 

  616. 					{
    617. 

  617. 						ID:    models.NodeTagID,
    618. 

  618. 						Value: fmt.Sprintf("%s.%s", models.NetworkID(network.NetID), models.GwTagName),
    619. 

  619. 					}},
    620. 

  620. 				AllowedDirection: models.TrafficDirectionUni,
    621. 

  621. 				Enabled:          true,
    622. 

  622. 				CreatedBy:        "auto",
    623. 

  623. 				CreatedAt:        time.Now().UTC(),
    624. 

  624. 			}
    625. 

  625. 			_ = logic.InsertAcl(acl)
    626. 

  626. 			replacePeers = true
    627. 

  627. 		}
    628. 

  628. 

  629. 		// since this group doesn't have a role for this network,
    630. 

  630. 		// there is no point in having this group as src in any
    631. 

  631. 		// of the network's acls.
    632. 

  632. 		for _, networkID := range networksRemoved {
    633. 

  633. 			acls, err := logic.ListAclsByNetwork(networkID)
    634. 

  634. 			if err != nil {
    635. 

  635. 				continue
    636. 

  636. 			}
    637. 

  637. 

  638. 			for _, acl := range acls {
    639. 

  639. 				var hasGroupSrc bool
    640. 

  640. 				newAclSrc := make([]models.AclPolicyTag, 0)
    641. 

  641. 				for _, src := range acl.Src {
    642. 

  642. 					if src.ID == models.UserGroupAclID && src.Value == userGroup.ID.String() {
    643. 

  643. 						hasGroupSrc = true
    644. 

  644. 					} else {
    645. 

  645. 						newAclSrc = append(newAclSrc, src)
    646. 

  646. 					}
    647. 

  647. 				}
    648. 

  648. 

  649. 				if hasGroupSrc {
    650. 

  650. 					if len(newAclSrc) == 0 {
    651. 

  651. 						// no other src exists, delete acl.
    652. 

  652. 						_ = logic.DeleteAcl(acl)
    653. 

  653. 					} else {
    654. 

  654. 						// other sources exist, update acl.
    655. 

  655. 						acl.Src = newAclSrc
    656. 

  656. 						_ = logic.UpsertAcl(acl)
    657. 

  657. 					}
    658. 

  658. 					replacePeers = true
    659. 

  659. 				}
    660. 

  660. 			}
    661. 

  661. 		}
    662. 

  662. 	}()
    663. 

  663. 

  664. 	// reset configs for service user
    665. 

  665. 	go proLogic.UpdatesUserGwAccessOnGrpUpdates(userGroup.ID, currUserG.NetworkRoles, userGroup.NetworkRoles)
    666. 

  666. 	go mq.PublishPeerUpdate(replacePeers)
    667. 

  667. 	logic.ReturnSuccessResponseWithJson(w, r, userGroup, "updated user group")
    668. 

  668. }
    669. 

  669. 

  670. // swagger:route GET /api/v1/users/unassigned_network_user user listUnAssignedNetUsers
    671. 

  671. //
    672. 

  672. // list unassigned network users.
    673. 

  673. //
    674. 

  674. //			Schemes: https
    675. 

  675. //
    676. 

  676. //			Security:
    677. 

  677. //	  		oauth
    678. 

  678. //
    679. 

  679. //			Responses:
    680. 

  680. //				200: userBodyResponse
    681. 

  681. func listUnAssignedNetUsers(w http.ResponseWriter, r *http.Request) {
    682. 

  682. 	netID := r.URL.Query().Get("network_id")
    683. 

  683. 	if netID == "" {
    684. 

  684. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("network is required"), logic.BadReq))
    685. 

  685. 		return
    686. 

  686. 	}
    687. 

  687. 	var unassignedUsers []models.ReturnUser
    688. 

  688. 	users, _ := logic.GetUsers()
    689. 

  689. 	for _, user := range users {
    690. 

  690. 		if user.PlatformRoleID != models.ServiceUser {
    691. 

  691. 			continue
    692. 

  692. 		}
    693. 

  693. 		skipUser := false
    694. 

  694. 		for userGID := range user.UserGroups {
    695. 

  695. 			userG, err := proLogic.GetUserGroup(userGID)
    696. 

  696. 			if err != nil {
    697. 

  697. 				continue
    698. 

  698. 			}
    699. 

  699. 			if _, ok := userG.NetworkRoles[models.NetworkID(netID)]; ok {
    700. 

  700. 				skipUser = true
    701. 

  701. 				break
    702. 

  702. 			}
    703. 

  703. 		}
    704. 

  704. 		if skipUser {
    705. 

  705. 			continue
    706. 

  706. 		}
    707. 

  707. 		unassignedUsers = append(unassignedUsers, user)
    708. 

  708. 	}
    709. 

  709. 	logic.ReturnSuccessResponseWithJson(w, r, unassignedUsers, "returned unassigned network service users")
    710. 

  710. }
    711. 

  711. 

  712. // swagger:route PUT /api/v1/users/add_network_user user addUsertoNetwork
    713. 

  713. //
    714. 

  714. // add user to network.
    715. 

  715. //
    716. 

  716. //			Schemes: https
    717. 

  717. //
    718. 

  718. //			Security:
    719. 

  719. //	  		oauth
    720. 

  720. //
    721. 

  721. //			Responses:
    722. 

  722. //				200: userBodyResponse
    723. 

  723. func addUsertoNetwork(w http.ResponseWriter, r *http.Request) {
    724. 

  724. 	username := r.URL.Query().Get("username")
    725. 

  725. 	if username == "" {
    726. 

  726. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("username is required"), logic.BadReq))
    727. 

  727. 		return
    728. 

  728. 	}
    729. 

  729. 	netID := r.URL.Query().Get("network_id")
    730. 

  730. 	if netID == "" {
    731. 

  731. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("network is required"), logic.BadReq))
    732. 

  732. 		return
    733. 

  733. 	}
    734. 

  734. 	user, err := logic.GetUser(username)
    735. 

  735. 	if err != nil {
    736. 

  736. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, logic.BadReq))
    737. 

  737. 		return
    738. 

  738. 	}
    739. 

  739. 	if user.PlatformRoleID != models.ServiceUser {
    740. 

  740. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("can only add service users"), logic.BadReq))
    741. 

  741. 		return
    742. 

  742. 	}
    743. 

  743. 	oldUser := *user
    744. 

  744. 	user.UserGroups[proLogic.GetDefaultNetworkUserGroupID(models.NetworkID(netID))] = struct{}{}
    745. 

  745. 	logic.UpsertUser(*user)
    746. 

  746. 	logic.LogEvent(&models.Event{
    747. 

  747. 		Action: models.Update,
    748. 

  748. 		Source: models.Subject{
    749. 

  749. 			ID:   r.Header.Get("user"),
    750. 

  750. 			Name: r.Header.Get("user"),
    751. 

  751. 			Type: models.UserSub,
    752. 

  752. 		},
    753. 

  753. 		TriggeredBy: r.Header.Get("user"),
    754. 

  754. 		Target: models.Subject{
    755. 

  755. 			ID:   user.UserName,
    756. 

  756. 			Name: user.UserName,
    757. 

  757. 			Type: models.UserSub,
    758. 

  758. 		},
    759. 

  759. 		Diff: models.Diff{
    760. 

  760. 			Old: oldUser,
    761. 

  761. 			New: user,
    762. 

  762. 		},
    763. 

  763. 		Origin: models.Dashboard,
    764. 

  764. 	})
    765. 

  765. 

  766. 	logic.ReturnSuccessResponseWithJson(w, r, user, "updated user group")
    767. 

  767. }
    768. 

  768. 

  769. // swagger:route PUT /api/v1/users/remove_network_user user removeUserfromNetwork
    770. 

  770. //
    771. 

  771. // add user to network.
    772. 

  772. //
    773. 

  773. //			Schemes: https
    774. 

  774. //
    775. 

  775. //			Security:
    776. 

  776. //	  		oauth
    777. 

  777. //
    778. 

  778. //			Responses:
    779. 

  779. //				200: userBodyResponse
    780. 

  780. func removeUserfromNetwork(w http.ResponseWriter, r *http.Request) {
    781. 

  781. 	username := r.URL.Query().Get("username")
    782. 

  782. 	if username == "" {
    783. 

  783. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("username is required"), logic.BadReq))
    784. 

  784. 		return
    785. 

  785. 	}
    786. 

  786. 	netID := r.URL.Query().Get("network_id")
    787. 

  787. 	if netID == "" {
    788. 

  788. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("network is required"), logic.BadReq))
    789. 

  789. 		return
    790. 

  790. 	}
    791. 

  791. 	user, err := logic.GetUser(username)
    792. 

  792. 	if err != nil {
    793. 

  793. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, logic.BadReq))
    794. 

  794. 		return
    795. 

  795. 	}
    796. 

  796. 	if user.PlatformRoleID != models.ServiceUser {
    797. 

  797. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("can only add service users"), logic.BadReq))
    798. 

  798. 		return
    799. 

  799. 	}
    800. 

  800. 	oldUser := *user
    801. 

  801. 	delete(user.UserGroups, proLogic.GetDefaultNetworkUserGroupID(models.NetworkID(netID)))
    802. 

  802. 	logic.UpsertUser(*user)
    803. 

  803. 	logic.LogEvent(&models.Event{
    804. 

  804. 		Action: models.Update,
    805. 

  805. 		Source: models.Subject{
    806. 

  806. 			ID:   r.Header.Get("user"),
    807. 

  807. 			Name: r.Header.Get("user"),
    808. 

  808. 			Type: models.UserSub,
    809. 

  809. 		},
    810. 

  810. 		TriggeredBy: r.Header.Get("user"),
    811. 

  811. 		Target: models.Subject{
    812. 

  812. 			ID:   user.UserName,
    813. 

  813. 			Name: user.UserName,
    814. 

  814. 			Type: models.UserSub,
    815. 

  815. 		},
    816. 

  816. 		Diff: models.Diff{
    817. 

  817. 			Old: oldUser,
    818. 

  818. 			New: user,
    819. 

  819. 		},
    820. 

  820. 		Origin: models.Dashboard,
    821. 

  821. 	})
    822. 

  822. 

  823. 	logic.ReturnSuccessResponseWithJson(w, r, user, "updated user group")
    824. 

  824. }
    825. 

  825. 

  826. // swagger:route DELETE /api/v1/user/group user deleteUserGroup
    827. 

  827. //
    828. 

  828. // delete user group.
    829. 

  829. //
    830. 

  830. //			Schemes: https
    831. 

  831. //
    832. 

  832. //			Security:
    833. 

  833. //	  		oauth
    834. 

  834. //
    835. 

  835. //			Responses:
    836. 

  836. //				200: userBodyResponse
    837. 

  837. //
    838. 

  838. // @Summary     Delete user group.
    839. 

  839. // @Router      /api/v1/user/group [delete]
    840. 

  840. // @Tags        Users
    841. 

  841. // @Param       group_id query string true "group id required to delete the role"
    842. 

  842. // @Success     200 {string} string
    843. 

  843. // @Failure     500 {object} models.ErrorResponse
    844. 

  844. func deleteUserGroup(w http.ResponseWriter, r *http.Request) {
    845. 

  845. 

  846. 	gid := r.URL.Query().Get("group_id")
    847. 

  847. 	if gid == "" {
    848. 

  848. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("group id is required"), "badrequest"))
    849. 

  849. 		return
    850. 

  850. 	}
    851. 

  851. 	userG, err := proLogic.GetUserGroup(models.UserGroupID(gid))
    852. 

  852. 	if err != nil {
    853. 

  853. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("failed to fetch group details"), "badrequest"))
    854. 

  854. 		return
    855. 

  855. 	}
    856. 

  856. 	if userG.Default {
    857. 

  857. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot delete default user group"), "badrequest"))
    858. 

  858. 		return
    859. 

  859. 	}
    860. 

  860. 	err = proLogic.DeleteAndCleanUpGroup(&userG)
    861. 

  861. 	if err != nil {
    862. 

  862. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    863. 

  863. 		return
    864. 

  864. 	}
    865. 

  865. 

  866. 	// TODO: log event in proLogic.DeleteAndCleanUpGroup so that all deletions are logged.
    867. 

  867. 	logic.LogEvent(&models.Event{
    868. 

  868. 		Action: models.Delete,
    869. 

  869. 		Source: models.Subject{
    870. 

  870. 			ID:   r.Header.Get("user"),
    871. 

  871. 			Name: r.Header.Get("user"),
    872. 

  872. 			Type: models.UserSub,
    873. 

  873. 		},
    874. 

  874. 		TriggeredBy: r.Header.Get("user"),
    875. 

  875. 		Target: models.Subject{
    876. 

  876. 			ID:   userG.ID.String(),
    877. 

  877. 			Name: userG.Name,
    878. 

  878. 			Type: models.UserGroupSub,
    879. 

  879. 		},
    880. 

  880. 		Origin: models.Dashboard,
    881. 

  881. 		Diff: models.Diff{
    882. 

  882. 			Old: userG,
    883. 

  883. 			New: nil,
    884. 

  884. 		},
    885. 

  885. 	})
    886. 

  886. 

  887. 	logic.ReturnSuccessResponseWithJson(w, r, nil, "deleted user group")
    888. 

  888. }
    889. 

  889. 

  890. // @Summary     lists all user roles.
    891. 

  891. // @Router      /api/v1/user/roles [get]
    892. 

  892. // @Tags        Users
    893. 

  893. // @Param       role_id query string true "roleid required to get the role details"
    894. 

  894. // @Success     200 {object}  []models.UserRolePermissionTemplate
    895. 

  895. // @Failure     500 {object} models.ErrorResponse
    896. 

  896. func ListRoles(w http.ResponseWriter, r *http.Request) {
    897. 

  897. 	platform := r.URL.Query().Get("platform")
    898. 

  898. 	var roles []models.UserRolePermissionTemplate
    899. 

  899. 	var err error
    900. 

  900. 	if platform == "true" {
    901. 

  901. 		roles, err = logic.ListPlatformRoles()
    902. 

  902. 	} else {
    903. 

  903. 		roles, err = proLogic.ListNetworkRoles()
    904. 

  904. 	}
    905. 

  905. 	if err != nil {
    906. 

  906. 		logic.ReturnErrorResponse(w, r, models.ErrorResponse{
    907. 

  907. 			Code:    http.StatusInternalServerError,
    908. 

  908. 			Message: err.Error(),
    909. 

  909. 		})
    910. 

  910. 		return
    911. 

  911. 	}
    912. 

  912. 

  913. 	logic.ReturnSuccessResponseWithJson(w, r, roles, "successfully fetched user roles permission templates")
    914. 

  914. }
    915. 

  915. 

  916. // @Summary     Get user role permission template.
    917. 

  917. // @Router      /api/v1/user/role [get]
    918. 

  918. // @Tags        Users
    919. 

  919. // @Param       role_id query string true "roleid required to get the role details"
    920. 

  920. // @Success     200 {object} models.UserRolePermissionTemplate
    921. 

  921. // @Failure     500 {object} models.ErrorResponse
    922. 

  922. func getRole(w http.ResponseWriter, r *http.Request) {
    923. 

  923. 	rid := r.URL.Query().Get("role_id")
    924. 

  924. 	if rid == "" {
    925. 

  925. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("role is required"), "badrequest"))
    926. 

  926. 		return
    927. 

  927. 	}
    928. 

  928. 	role, err := logic.GetRole(models.UserRoleID(rid))
    929. 

  929. 	if err != nil {
    930. 

  930. 		logic.ReturnErrorResponse(w, r, models.ErrorResponse{
    931. 

  931. 			Code:    http.StatusInternalServerError,
    932. 

  932. 			Message: err.Error(),
    933. 

  933. 		})
    934. 

  934. 		return
    935. 

  935. 	}
    936. 

  936. 	logic.ReturnSuccessResponseWithJson(w, r, role, "successfully fetched user role permission templates")
    937. 

  937. }
    938. 

  938. 

  939. // @Summary     Create user role permission template.
    940. 

  940. // @Router      /api/v1/user/role [post]
    941. 

  941. // @Tags        Users
    942. 

  942. // @Param       body body models.UserRolePermissionTemplate true "user role template"
    943. 

  943. // @Success     200 {object}  models.UserRolePermissionTemplate
    944. 

  944. // @Failure     500 {object} models.ErrorResponse
    945. 

  945. func createRole(w http.ResponseWriter, r *http.Request) {
    946. 

  946. 	var userRole models.UserRolePermissionTemplate
    947. 

  947. 	err := json.NewDecoder(r.Body).Decode(&userRole)
    948. 

  948. 	if err != nil {
    949. 

  949. 		slog.Error("error decoding request body", "error",
    950. 

  950. 			err.Error())
    951. 

  951. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    952. 

  952. 		return
    953. 

  953. 	}
    954. 

  954. 	err = proLogic.ValidateCreateRoleReq(&userRole)
    955. 

  955. 	if err != nil {
    956. 

  956. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    957. 

  957. 		return
    958. 

  958. 	}
    959. 

  959. 	userRole.Default = false
    960. 

  960. 	userRole.GlobalLevelAccess = make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope)
    961. 

  961. 	err = proLogic.CreateRole(userRole)
    962. 

  962. 	if err != nil {
    963. 

  963. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    964. 

  964. 		return
    965. 

  965. 	}
    966. 

  966. 	logic.LogEvent(&models.Event{
    967. 

  967. 		Action: models.Create,
    968. 

  968. 		Source: models.Subject{
    969. 

  969. 			ID:   r.Header.Get("user"),
    970. 

  970. 			Name: r.Header.Get("user"),
    971. 

  971. 			Type: models.UserSub,
    972. 

  972. 		},
    973. 

  973. 		TriggeredBy: r.Header.Get("user"),
    974. 

  974. 		Target: models.Subject{
    975. 

  975. 			ID:   userRole.ID.String(),
    976. 

  976. 			Name: userRole.Name,
    977. 

  977. 			Type: models.UserRoleSub,
    978. 

  978. 		},
    979. 

  979. 		Origin: models.ClientApp,
    980. 

  980. 	})
    981. 

  981. 	logic.ReturnSuccessResponseWithJson(w, r, userRole, "created user role")
    982. 

  982. }
    983. 

  983. 

  984. // @Summary     Update user role permission template.
    985. 

  985. // @Router      /api/v1/user/role [put]
    986. 

  986. // @Tags        Users
    987. 

  987. // @Param       body body models.UserRolePermissionTemplate true "user role template"
    988. 

  988. // @Success     200 {object} models.UserRolePermissionTemplate
    989. 

  989. // @Failure     500 {object} models.ErrorResponse
    990. 

  990. func updateRole(w http.ResponseWriter, r *http.Request) {
    991. 

  991. 	var userRole models.UserRolePermissionTemplate
    992. 

  992. 	err := json.NewDecoder(r.Body).Decode(&userRole)
    993. 

  993. 	if err != nil {
    994. 

  994. 		slog.Error("error decoding request body", "error",
    995. 

  995. 			err.Error())
    996. 

  996. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    997. 

  997. 		return
    998. 

  998. 	}
    999. 

  999. 	currRole, err := logic.GetRole(userRole.ID)
    1000. 

  1000. 	if err != nil {
    1001. 

  1001. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1002. 

  1002. 		return
    1003. 

  1003. 	}
    1004. 

  1004. 	err = proLogic.ValidateUpdateRoleReq(&userRole)
    1005. 

  1005. 	if err != nil {
    1006. 

  1006. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1007. 

  1007. 		return
    1008. 

  1008. 	}
    1009. 

  1009. 	userRole.GlobalLevelAccess = make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope)
    1010. 

  1010. 	err = proLogic.UpdateRole(userRole)
    1011. 

  1011. 	if err != nil {
    1012. 

  1012. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1013. 

  1013. 		return
    1014. 

  1014. 	}
    1015. 

  1015. 	logic.LogEvent(&models.Event{
    1016. 

  1016. 		Action: models.Update,
    1017. 

  1017. 		Source: models.Subject{
    1018. 

  1018. 			ID:   r.Header.Get("user"),
    1019. 

  1019. 			Name: r.Header.Get("user"),
    1020. 

  1020. 			Type: models.UserSub,
    1021. 

  1021. 		},
    1022. 

  1022. 		TriggeredBy: r.Header.Get("user"),
    1023. 

  1023. 		Target: models.Subject{
    1024. 

  1024. 			ID:   userRole.ID.String(),
    1025. 

  1025. 			Name: userRole.Name,
    1026. 

  1026. 			Type: models.UserRoleSub,
    1027. 

  1027. 		},
    1028. 

  1028. 		Diff: models.Diff{
    1029. 

  1029. 			Old: currRole,
    1030. 

  1030. 			New: userRole,
    1031. 

  1031. 		},
    1032. 

  1032. 		Origin: models.Dashboard,
    1033. 

  1033. 	})
    1034. 

  1034. 	// reset configs for service user
    1035. 

  1035. 	go proLogic.UpdatesUserGwAccessOnRoleUpdates(currRole.NetworkLevelAccess, userRole.NetworkLevelAccess, string(userRole.NetworkID))
    1036. 

  1036. 	logic.ReturnSuccessResponseWithJson(w, r, userRole, "updated user role")
    1037. 

  1037. }
    1038. 

  1038. 

  1039. // @Summary     Delete user role permission template.
    1040. 

  1040. // @Router      /api/v1/user/role [delete]
    1041. 

  1041. // @Tags        Users
    1042. 

  1042. // @Param       role_id query string true "roleid required to delete the role"
    1043. 

  1043. // @Success     200 {string} string
    1044. 

  1044. // @Failure     500 {object} models.ErrorResponse
    1045. 

  1045. func deleteRole(w http.ResponseWriter, r *http.Request) {
    1046. 

  1046. 

  1047. 	rid := r.URL.Query().Get("role_id")
    1048. 

  1048. 	if rid == "" {
    1049. 

  1049. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("role is required"), "badrequest"))
    1050. 

  1050. 		return
    1051. 

  1051. 	}
    1052. 

  1052. 	role, err := logic.GetRole(models.UserRoleID(rid))
    1053. 

  1053. 	if err != nil {
    1054. 

  1054. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("role is required"), "badrequest"))
    1055. 

  1055. 		return
    1056. 

  1056. 	}
    1057. 

  1057. 	err = proLogic.DeleteRole(models.UserRoleID(rid), false)
    1058. 

  1058. 	if err != nil {
    1059. 

  1059. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1060. 

  1060. 		return
    1061. 

  1061. 	}
    1062. 

  1062. 	logic.LogEvent(&models.Event{
    1063. 

  1063. 		Action: models.Delete,
    1064. 

  1064. 		Source: models.Subject{
    1065. 

  1065. 			ID:   r.Header.Get("user"),
    1066. 

  1066. 			Name: r.Header.Get("user"),
    1067. 

  1067. 			Type: models.UserSub,
    1068. 

  1068. 		},
    1069. 

  1069. 		TriggeredBy: r.Header.Get("user"),
    1070. 

  1070. 		Target: models.Subject{
    1071. 

  1071. 			ID:   role.ID.String(),
    1072. 

  1072. 			Name: role.Name,
    1073. 

  1073. 			Type: models.UserRoleSub,
    1074. 

  1074. 		},
    1075. 

  1075. 		Origin: models.Dashboard,
    1076. 

  1076. 		Diff: models.Diff{
    1077. 

  1077. 			Old: role,
    1078. 

  1078. 			New: nil,
    1079. 

  1079. 		},
    1080. 

  1080. 	})
    1081. 

  1081. 	go proLogic.UpdatesUserGwAccessOnRoleUpdates(role.NetworkLevelAccess, make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope), role.NetworkID.String())
    1082. 

  1082. 	logic.ReturnSuccessResponseWithJson(w, r, nil, "deleted user role")
    1083. 

  1083. }
    1084. 

  1084. 

  1085. // @Summary     Attach user to a remote access gateway
    1086. 

  1086. // @Router      /api/users/{username}/remote_access_gw/{remote_access_gateway_id} [post]
    1087. 

  1087. // @Tags        PRO
    1088. 

  1088. // @Accept      json
    1089. 

  1089. // @Produce     json
    1090. 

  1090. // @Param       username path string true "Username"
    1091. 

  1091. // @Param       remote_access_gateway_id path string true "Remote Access Gateway ID"
    1092. 

  1092. // @Success     200 {object} models.ReturnUser
    1093. 

  1093. // @Failure     400 {object} models.ErrorResponse
    1094. 

  1094. // @Failure     500 {object} models.ErrorResponse
    1095. 

  1095. func attachUserToRemoteAccessGw(w http.ResponseWriter, r *http.Request) {
    1096. 

  1096. 	// set header.
    1097. 

  1097. 	w.Header().Set("Content-Type", "application/json")
    1098. 

  1098. 

  1099. 	var params = mux.Vars(r)
    1100. 

  1100. 	username := params["username"]
    1101. 

  1101. 	remoteGwID := params["remote_access_gateway_id"]
    1102. 

  1102. 	if username == "" || remoteGwID == "" {
    1103. 

  1103. 		logic.ReturnErrorResponse(
    1104. 

  1104. 			w,
    1105. 

  1105. 			r,
    1106. 

  1106. 			logic.FormatError(
    1107. 

  1107. 				errors.New("required params `username` and `remote_access_gateway_id`"),
    1108. 

  1108. 				"badrequest",
    1109. 

  1109. 			),
    1110. 

  1110. 		)
    1111. 

  1111. 		return
    1112. 

  1112. 	}
    1113. 

  1113. 	user, err := logic.GetUser(username)
    1114. 

  1114. 	if err != nil {
    1115. 

  1115. 		slog.Error("failed to fetch user: ", "username", username, "error", err.Error())
    1116. 

  1116. 		logic.ReturnErrorResponse(
    1117. 

  1117. 			w,
    1118. 

  1118. 			r,
    1119. 

  1119. 			logic.FormatError(
    1120. 

  1120. 				fmt.Errorf("failed to fetch user %s, error: %v", username, err),
    1121. 

  1121. 				"badrequest",
    1122. 

  1122. 			),
    1123. 

  1123. 		)
    1124. 

  1124. 		return
    1125. 

  1125. 	}
    1126. 

  1126. 	if user.PlatformRoleID == models.AdminRole || user.PlatformRoleID == models.SuperAdminRole {
    1127. 

  1127. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("superadmins/admins have access to all gateways"), "badrequest"))
    1128. 

  1128. 		return
    1129. 

  1129. 	}
    1130. 

  1130. 	node, err := logic.GetNodeByID(remoteGwID)
    1131. 

  1131. 	if err != nil {
    1132. 

  1132. 		slog.Error("failed to fetch gateway node", "nodeID", remoteGwID, "error", err)
    1133. 

  1133. 		logic.ReturnErrorResponse(
    1134. 

  1134. 			w,
    1135. 

  1135. 			r,
    1136. 

  1136. 			logic.FormatError(
    1137. 

  1137. 				fmt.Errorf("failed to fetch remote access gateway node, error: %v", err),
    1138. 

  1138. 				"badrequest",
    1139. 

  1139. 			),
    1140. 

  1140. 		)
    1141. 

  1141. 		return
    1142. 

  1142. 	}
    1143. 

  1143. 	if !node.IsIngressGateway {
    1144. 

  1144. 		logic.ReturnErrorResponse(
    1145. 

  1145. 			w,
    1146. 

  1146. 			r,
    1147. 

  1147. 			logic.FormatError(fmt.Errorf("node is not a remote access gateway"), "badrequest"),
    1148. 

  1148. 		)
    1149. 

  1149. 		return
    1150. 

  1150. 	}
    1151. 

  1151. 	if user.RemoteGwIDs == nil {
    1152. 

  1152. 		user.RemoteGwIDs = make(map[string]struct{})
    1153. 

  1153. 	}
    1154. 

  1154. 	user.RemoteGwIDs[node.ID.String()] = struct{}{}
    1155. 

  1155. 	err = logic.UpsertUser(*user)
    1156. 

  1156. 	if err != nil {
    1157. 

  1157. 		slog.Error("failed to update user's gateways", "user", username, "error", err)
    1158. 

  1158. 		logic.ReturnErrorResponse(
    1159. 

  1159. 			w,
    1160. 

  1160. 			r,
    1161. 

  1161. 			logic.FormatError(
    1162. 

  1162. 				fmt.Errorf("failed to fetch remote access gateway node,error: %v", err),
    1163. 

  1163. 				"badrequest",
    1164. 

  1164. 			),
    1165. 

  1165. 		)
    1166. 

  1166. 		return
    1167. 

  1167. 	}
    1168. 

  1168. 

  1169. 	json.NewEncoder(w).Encode(logic.ToReturnUser(*user))
    1170. 

  1170. }
    1171. 

  1171. 

  1172. // @Summary     Remove user from a remote access gateway
    1173. 

  1173. // @Router      /api/users/{username}/remote_access_gw/{remote_access_gateway_id} [delete]
    1174. 

  1174. // @Tags        PRO
    1175. 

  1175. // @Accept      json
    1176. 

  1176. // @Produce     json
    1177. 

  1177. // @Param       username path string true "Username"
    1178. 

  1178. // @Param       remote_access_gateway_id path string true "Remote Access Gateway ID"
    1179. 

  1179. // @Success     200 {object} models.ReturnUser
    1180. 

  1180. // @Failure     400 {object} models.ErrorResponse
    1181. 

  1181. // @Failure     500 {object} models.ErrorResponse
    1182. 

  1182. func removeUserFromRemoteAccessGW(w http.ResponseWriter, r *http.Request) {
    1183. 

  1183. 	// set header.
    1184. 

  1184. 	w.Header().Set("Content-Type", "application/json")
    1185. 

  1185. 

  1186. 	var params = mux.Vars(r)
    1187. 

  1187. 	username := params["username"]
    1188. 

  1188. 	remoteGwID := params["remote_access_gateway_id"]
    1189. 

  1189. 	if username == "" || remoteGwID == "" {
    1190. 

  1190. 		logic.ReturnErrorResponse(
    1191. 

  1191. 			w,
    1192. 

  1192. 			r,
    1193. 

  1193. 			logic.FormatError(
    1194. 

  1194. 				errors.New("required params `username` and `remote_access_gateway_id`"),
    1195. 

  1195. 				"badrequest",
    1196. 

  1196. 			),
    1197. 

  1197. 		)
    1198. 

  1198. 		return
    1199. 

  1199. 	}
    1200. 

  1200. 	user, err := logic.GetUser(username)
    1201. 

  1201. 	if err != nil {
    1202. 

  1202. 		logger.Log(0, username, "failed to fetch user: ", err.Error())
    1203. 

  1203. 		logic.ReturnErrorResponse(
    1204. 

  1204. 			w,
    1205. 

  1205. 			r,
    1206. 

  1206. 			logic.FormatError(
    1207. 

  1207. 				fmt.Errorf("failed to fetch user %s, error: %v", username, err),
    1208. 

  1208. 				"badrequest",
    1209. 

  1209. 			),
    1210. 

  1210. 		)
    1211. 

  1211. 		return
    1212. 

  1212. 	}
    1213. 

  1213. 	delete(user.RemoteGwIDs, remoteGwID)
    1214. 

  1214. 	go func(user models.User, remoteGwID string) {
    1215. 

  1215. 		extclients, err := logic.GetAllExtClients()
    1216. 

  1216. 		if err != nil {
    1217. 

  1217. 			slog.Error("failed to fetch extclients", "error", err)
    1218. 

  1218. 			return
    1219. 

  1219. 		}
    1220. 

  1220. 		for _, extclient := range extclients {
    1221. 

  1221. 			if extclient.OwnerID == user.UserName && remoteGwID == extclient.IngressGatewayID {
    1222. 

  1222. 				err = logic.DeleteExtClientAndCleanup(extclient)
    1223. 

  1223. 				if err != nil {
    1224. 

  1224. 					slog.Error("failed to delete extclient",
    1225. 

  1225. 						"id", extclient.ClientID, "owner", user.UserName, "error", err)
    1226. 

  1226. 				} else {
    1227. 

  1227. 					if err := mq.PublishDeletedClientPeerUpdate(&extclient); err != nil {
    1228. 

  1228. 						slog.Error("error setting ext peers: " + err.Error())
    1229. 

  1229. 					}
    1230. 

  1230. 				}
    1231. 

  1231. 			}
    1232. 

  1232. 		}
    1233. 

  1233. 		if servercfg.IsDNSMode() {
    1234. 

  1234. 			logic.SetDNS()
    1235. 

  1235. 		}
    1236. 

  1236. 	}(*user, remoteGwID)
    1237. 

  1237. 

  1238. 	err = logic.UpsertUser(*user)
    1239. 

  1239. 	if err != nil {
    1240. 

  1240. 		slog.Error("failed to update user gateways", "user", username, "error", err)
    1241. 

  1241. 		logic.ReturnErrorResponse(
    1242. 

  1242. 			w,
    1243. 

  1243. 			r,
    1244. 

  1244. 			logic.FormatError(
    1245. 

  1245. 				errors.New("failed to fetch remote access gaetway node "+err.Error()),
    1246. 

  1246. 				"badrequest",
    1247. 

  1247. 			),
    1248. 

  1248. 		)
    1249. 

  1249. 		return
    1250. 

  1250. 	}
    1251. 

  1251. 	json.NewEncoder(w).Encode(logic.ToReturnUser(*user))
    1252. 

  1252. }
    1253. 

  1253. 

  1254. // @Summary     Get Users Remote Access Gw Networks.
    1255. 

  1255. // @Router      /api/users/{username}/remote_access_gw [get]
    1256. 

  1256. // @Tags        Users
    1257. 

  1257. // @Param       username path string true "Username to fetch all the gateways with access"
    1258. 

  1258. // @Success     200 {object} map[string][]models.UserRemoteGws
    1259. 

  1259. // @Failure     500 {object} models.ErrorResponse
    1260. 

  1260. func getUserRemoteAccessNetworks(w http.ResponseWriter, r *http.Request) {
    1261. 

  1261. 	// set header.
    1262. 

  1262. 	w.Header().Set("Content-Type", "application/json")
    1263. 

  1263. 	username := r.Header.Get("user")
    1264. 

  1264. 	user, err := logic.GetUser(username)
    1265. 

  1265. 	if err != nil {
    1266. 

  1266. 		logger.Log(0, username, "failed to fetch user: ", err.Error())
    1267. 

  1267. 		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch user %s, error: %v", username, err), "badrequest"))
    1268. 

  1268. 		return
    1269. 

  1269. 	}
    1270. 

  1270. 	userGws := make(map[string][]models.UserRemoteGws)
    1271. 

  1271. 	networks := []models.Network{}
    1272. 

  1272. 	networkMap := make(map[string]struct{})
    1273. 

  1273. 	userGwNodes := proLogic.GetUserRAGNodes(*user)
    1274. 

  1274. 	for _, node := range userGwNodes {
    1275. 

  1275. 		network, err := logic.GetNetwork(node.Network)
    1276. 

  1276. 		if err != nil {
    1277. 

  1277. 			slog.Error("failed to get node network", "error", err)
    1278. 

  1278. 			continue
    1279. 

  1279. 		}
    1280. 

  1280. 		if _, ok := networkMap[network.NetID]; ok {
    1281. 

  1281. 			continue
    1282. 

  1282. 		}
    1283. 

  1283. 		networkMap[network.NetID] = struct{}{}
    1284. 

  1284. 		networks = append(networks, network)
    1285. 

  1285. 	}
    1286. 

  1286. 

  1287. 	slog.Debug("returned user gws", "user", username, "gws", userGws)
    1288. 

  1288. 	logic.ReturnSuccessResponseWithJson(w, r, networks, "fetched user accessible networks")
    1289. 

  1289. }
    1290. 

  1290. 

  1291. // @Summary     Get Users Remote Access Gw Networks.
    1292. 

  1292. // @Router      /api/users/{username}/remote_access_gw [get]
    1293. 

  1293. // @Tags        Users
    1294. 

  1294. // @Param       username path string true "Username to fetch all the gateways with access"
    1295. 

  1295. // @Success     200 {object} map[string][]models.UserRemoteGws
    1296. 

  1296. // @Failure     500 {object} models.ErrorResponse
    1297. 

  1297. func getUserRemoteAccessNetworkGateways(w http.ResponseWriter, r *http.Request) {
    1298. 

  1298. 	// set header.
    1299. 

  1299. 	w.Header().Set("Content-Type", "application/json")
    1300. 

  1300. 	var params = mux.Vars(r)
    1301. 

  1301. 	username := r.Header.Get("user")
    1302. 

  1302. 	user, err := logic.GetUser(username)
    1303. 

  1303. 	if err != nil {
    1304. 

  1304. 		logger.Log(0, username, "failed to fetch user: ", err.Error())
    1305. 

  1305. 		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch user %s, error: %v", username, err), "badrequest"))
    1306. 

  1306. 		return
    1307. 

  1307. 	}
    1308. 

  1308. 	network := params["network"]
    1309. 

  1309. 	if network == "" {
    1310. 

  1310. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("required params network"), "badrequest"))
    1311. 

  1311. 		return
    1312. 

  1312. 	}
    1313. 

  1313. 	userGws := []models.UserRAGs{}
    1314. 

  1314. 

  1315. 	userGwNodes := proLogic.GetUserRAGNodes(*user)
    1316. 

  1316. 	for _, node := range userGwNodes {
    1317. 

  1317. 		if node.Network != network {
    1318. 

  1318. 			continue
    1319. 

  1319. 		}
    1320. 

  1320. 

  1321. 		host, err := logic.GetHost(node.HostID.String())
    1322. 

  1322. 		if err != nil {
    1323. 

  1323. 			continue
    1324. 

  1324. 		}
    1325. 

  1325. 

  1326. 		userGws = append(userGws, models.UserRAGs{
    1327. 

  1327. 			GwID:              node.ID.String(),
    1328. 

  1328. 			GWName:            host.Name,
    1329. 

  1329. 			Network:           node.Network,
    1330. 

  1330. 			IsInternetGateway: node.IsInternetGateway,
    1331. 

  1331. 			Metadata:          node.Metadata,
    1332. 

  1332. 		})
    1333. 

  1333. 

  1334. 	}
    1335. 

  1335. 

  1336. 	slog.Debug("returned user gws", "user", username, "gws", userGws)
    1337. 

  1337. 	logic.ReturnSuccessResponseWithJson(w, r, userGws, "fetched user accessible gateways in network "+network)
    1338. 

  1338. }
    1339. 

  1339. 

  1340. // @Summary     Get Users Remote Access Gw Networks.
    1341. 

  1341. // @Router      /api/users/{username}/remote_access_gw [get]
    1342. 

  1342. // @Tags        Users
    1343. 

  1343. // @Param       username path string true "Username to fetch all the gateways with access"
    1344. 

  1344. // @Success     200 {object} map[string][]models.UserRemoteGws
    1345. 

  1345. // @Failure     500 {object} models.ErrorResponse
    1346. 

  1346. func getRemoteAccessGatewayConf(w http.ResponseWriter, r *http.Request) {
    1347. 

  1347. 	// set header.
    1348. 

  1348. 	w.Header().Set("Content-Type", "application/json")
    1349. 

  1349. 	var params = mux.Vars(r)
    1350. 

  1350. 	username := r.Header.Get("user")
    1351. 

  1351. 	user, err := logic.GetUser(username)
    1352. 

  1352. 	if err != nil {
    1353. 

  1353. 		logger.Log(0, username, "failed to fetch user: ", err.Error())
    1354. 

  1354. 		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch user %s, error: %v", username, err), "badrequest"))
    1355. 

  1355. 		return
    1356. 

  1356. 	}
    1357. 

  1357. 	remoteGwID := params["access_point_id"]
    1358. 

  1358. 	if remoteGwID == "" {
    1359. 

  1359. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("required params access_point_id"), "badrequest"))
    1360. 

  1360. 		return
    1361. 

  1361. 	}
    1362. 

  1362. 	var req models.UserRemoteGwsReq
    1363. 

  1363. 	err = json.NewDecoder(r.Body).Decode(&req)
    1364. 

  1364. 	if err != nil {
    1365. 

  1365. 		slog.Error("error decoding request body: ", "error", err)
    1366. 

  1366. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1367. 

  1367. 		return
    1368. 

  1368. 	}
    1369. 

  1369. 

  1370. 	userGwNodes := proLogic.GetUserRAGNodes(*user)
    1371. 

  1371. 	if _, ok := userGwNodes[remoteGwID]; !ok {
    1372. 

  1372. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("access denied"), "forbidden"))
    1373. 

  1373. 		return
    1374. 

  1374. 	}
    1375. 

  1375. 	node, err := logic.GetNodeByID(remoteGwID)
    1376. 

  1376. 	if err != nil {
    1377. 

  1377. 		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch gw node %s, error: %v", remoteGwID, err), "badrequest"))
    1378. 

  1378. 		return
    1379. 

  1379. 	}
    1380. 

  1380. 	host, err := logic.GetHost(node.HostID.String())
    1381. 

  1381. 	if err != nil {
    1382. 

  1382. 		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch gw host %s, error: %v", remoteGwID, err), "badrequest"))
    1383. 

  1383. 		return
    1384. 

  1384. 	}
    1385. 

  1385. 	network, err := logic.GetNetwork(node.Network)
    1386. 

  1386. 	if err != nil {
    1387. 

  1387. 		slog.Error("failed to get node network", "error", err)
    1388. 

  1388. 	}
    1389. 

  1389. 	var userConf models.ExtClient
    1390. 

  1390. 	allextClients, err := logic.GetAllExtClients()
    1391. 

  1391. 	if err != nil {
    1392. 

  1392. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1393. 

  1393. 		return
    1394. 

  1394. 	}
    1395. 

  1395. 	for _, extClient := range allextClients {
    1396. 

  1396. 		if extClient.Network != network.NetID || extClient.IngressGatewayID != node.ID.String() {
    1397. 

  1397. 			continue
    1398. 

  1398. 		}
    1399. 

  1399. 		if extClient.RemoteAccessClientID == req.RemoteAccessClientID && extClient.OwnerID == username {
    1400. 

  1400. 			userConf = extClient
    1401. 

  1401. 			userConf.AllowedIPs = logic.GetExtclientAllowedIPs(extClient)
    1402. 

  1402. 		}
    1403. 

  1403. 	}
    1404. 

  1404. 	if userConf.ClientID == "" {
    1405. 

  1405. 		// create a new conf
    1406. 

  1406. 		userConf.OwnerID = user.UserName
    1407. 

  1407. 		userConf.RemoteAccessClientID = req.RemoteAccessClientID
    1408. 

  1408. 		userConf.IngressGatewayID = node.ID.String()
    1409. 

  1409. 		logic.SetDNSOnWgConfig(&node, &userConf)
    1410. 

  1410. 

  1411. 		userConf.Network = node.Network
    1412. 

  1412. 		host, err := logic.GetHost(node.HostID.String())
    1413. 

  1413. 		if err != nil {
    1414. 

  1414. 			logger.Log(0, r.Header.Get("user"),
    1415. 

  1415. 				fmt.Sprintf("failed to get ingress gateway host for node [%s] info: %v", node.ID, err))
    1416. 

  1416. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1417. 

  1417. 			return
    1418. 

  1418. 		}
    1419. 

  1419. 		listenPort := logic.GetPeerListenPort(host)
    1420. 

  1420. 		if host.EndpointIP.To4() == nil {
    1421. 

  1421. 			userConf.IngressGatewayEndpoint = fmt.Sprintf("[%s]:%d", host.EndpointIPv6.String(), listenPort)
    1422. 

  1422. 		} else {
    1423. 

  1423. 			userConf.IngressGatewayEndpoint = fmt.Sprintf("%s:%d", host.EndpointIP.String(), listenPort)
    1424. 

  1424. 		}
    1425. 

  1425. 		userConf.Enabled = true
    1426. 

  1426. 		parentNetwork, err := logic.GetNetwork(node.Network)
    1427. 

  1427. 		if err == nil { // check if parent network default ACL is enabled (yes) or not (no)
    1428. 

  1428. 			userConf.Enabled = parentNetwork.DefaultACL == "yes"
    1429. 

  1429. 		}
    1430. 

  1430. 		userConf.Tags = make(map[models.TagID]struct{})
    1431. 

  1431. 		// userConf.Tags[models.TagID(fmt.Sprintf("%s.%s", userConf.Network,
    1432. 

  1432. 		// 	models.RemoteAccessTagName))] = struct{}{}
    1433. 

  1433. 		if err = logic.CreateExtClient(&userConf); err != nil {
    1434. 

  1434. 			slog.Error(
    1435. 

  1435. 				"failed to create extclient",
    1436. 

  1436. 				"user",
    1437. 

  1437. 				r.Header.Get("user"),
    1438. 

  1438. 				"network",
    1439. 

  1439. 				node.Network,
    1440. 

  1440. 				"error",
    1441. 

  1441. 				err,
    1442. 

  1442. 			)
    1443. 

  1443. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1444. 

  1444. 			return
    1445. 

  1445. 		}
    1446. 

  1446. 	}
    1447. 

  1447. 	userGw := models.UserRemoteGws{
    1448. 

  1448. 		GwID:              node.ID.String(),
    1449. 

  1449. 		GWName:            host.Name,
    1450. 

  1450. 		Network:           node.Network,
    1451. 

  1451. 		GwClient:          userConf,
    1452. 

  1452. 		Connected:         true,
    1453. 

  1453. 		IsInternetGateway: node.IsInternetGateway,
    1454. 

  1454. 		GwPeerPublicKey:   host.PublicKey.String(),
    1455. 

  1455. 		GwListenPort:      logic.GetPeerListenPort(host),
    1456. 

  1456. 		Metadata:          node.Metadata,
    1457. 

  1457. 		AllowedEndpoints:  getAllowedRagEndpoints(&node, host),
    1458. 

  1458. 		NetworkAddresses:  []string{network.AddressRange, network.AddressRange6},
    1459. 

  1459. 		ManageDNS:         host.DNS == "yes",
    1460. 

  1460. 		DnsAddress:        node.IngressDNS,
    1461. 

  1461. 		Addresses:         utils.NoEmptyStringToCsv(node.Address.String(), node.Address6.String()),
    1462. 

  1462. 	}
    1463. 

  1463. 

  1464. 	slog.Debug("returned user gw config", "user", user.UserName, "gws", userGw)
    1465. 

  1465. 	logic.ReturnSuccessResponseWithJson(w, r, userGw, "fetched user config to gw "+remoteGwID)
    1466. 

  1466. }
    1467. 

  1467. 

  1468. // @Summary     Get Users Remote Access Gw.
    1469. 

  1469. // @Router      /api/users/{username}/remote_access_gw [get]
    1470. 

  1470. // @Tags        Users
    1471. 

  1471. // @Param       username path string true "Username to fetch all the gateways with access"
    1472. 

  1472. // @Success     200 {object} map[string][]models.UserRemoteGws
    1473. 

  1473. // @Failure     500 {object} models.ErrorResponse
    1474. 

  1474. func getUserRemoteAccessGwsV1(w http.ResponseWriter, r *http.Request) {
    1475. 

  1475. 	// set header.
    1476. 

  1476. 	w.Header().Set("Content-Type", "application/json")
    1477. 

  1477. 	var params = mux.Vars(r)
    1478. 

  1478. 	username := params["username"]
    1479. 

  1479. 	if username == "" {
    1480. 

  1480. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("required params username"), "badrequest"))
    1481. 

  1481. 		return
    1482. 

  1482. 	}
    1483. 

  1483. 	user, err := logic.GetUser(username)
    1484. 

  1484. 	if err != nil {
    1485. 

  1485. 		logger.Log(0, username, "failed to fetch user: ", err.Error())
    1486. 

  1486. 		logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to fetch user %s, error: %v", username, err), "badrequest"))
    1487. 

  1487. 		return
    1488. 

  1488. 	}
    1489. 

  1489. 	deviceID := r.URL.Query().Get("device_id")
    1490. 

  1490. 	remoteAccessClientID := r.URL.Query().Get("remote_access_clientid")
    1491. 

  1491. 	var req models.UserRemoteGwsReq
    1492. 

  1492. 	if remoteAccessClientID == "" {
    1493. 

  1493. 		err := json.NewDecoder(r.Body).Decode(&req)
    1494. 

  1494. 		if err != nil {
    1495. 

  1495. 			slog.Error("error decoding request body: ", "error", err)
    1496. 

  1496. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1497. 

  1497. 			return
    1498. 

  1498. 		}
    1499. 

  1499. 	}
    1500. 

  1500. 	reqFromMobile := r.URL.Query().Get("from_mobile") == "true"
    1501. 

  1501. 	if req.RemoteAccessClientID == "" && remoteAccessClientID == "" {
    1502. 

  1502. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("remote access client id cannot be empty"), "badrequest"))
    1503. 

  1503. 		return
    1504. 

  1504. 	}
    1505. 

  1505. 	if req.RemoteAccessClientID == "" {
    1506. 

  1506. 		req.RemoteAccessClientID = remoteAccessClientID
    1507. 

  1507. 	}
    1508. 

  1508. 	userGws := make(map[string][]models.UserRemoteGws)
    1509. 

  1509. 	allextClients, err := logic.GetAllExtClients()
    1510. 

  1510. 	if err != nil {
    1511. 

  1511. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1512. 

  1512. 		return
    1513. 

  1513. 	}
    1514. 

  1514. 	userGwNodes := proLogic.GetUserRAGNodes(*user)
    1515. 

  1515. 

  1516. 	userExtClients := make(map[string][]models.ExtClient)
    1517. 

  1517. 

  1518. 	// group all extclients of the requesting user by ingress
    1519. 

  1519. 	// gateway.
    1520. 

  1520. 	for _, extClient := range allextClients {
    1521. 

  1521. 		// filter our extclients that don't belong to this user.
    1522. 

  1522. 		if extClient.OwnerID != username {
    1523. 

  1523. 			continue
    1524. 

  1524. 		}
    1525. 

  1525. 

  1526. 		if extClient.RemoteAccessClientID == "" {
    1527. 

  1527. 			continue
    1528. 

  1528. 		}
    1529. 

  1529. 

  1530. 		_, ok := userExtClients[extClient.IngressGatewayID]
    1531. 

  1531. 		if !ok {
    1532. 

  1532. 			userExtClients[extClient.IngressGatewayID] = []models.ExtClient{}
    1533. 

  1533. 		}
    1534. 

  1534. 

  1535. 		userExtClients[extClient.IngressGatewayID] = append(userExtClients[extClient.IngressGatewayID], extClient)
    1536. 

  1536. 	}
    1537. 

  1537. 

  1538. 	for ingressGatewayID, extClients := range userExtClients {
    1539. 

  1539. 		logic.SortExtClient(extClients)
    1540. 

  1540. 

  1541. 		node, ok := userGwNodes[ingressGatewayID]
    1542. 

  1542. 		if !ok {
    1543. 

  1543. 			continue
    1544. 

  1544. 		}
    1545. 

  1545. 

  1546. 		var gwClient models.ExtClient
    1547. 

  1547. 		var found bool
    1548. 

  1548. 		if deviceID != "" {
    1549. 

  1549. 			for _, extClient := range extClients {
    1550. 

  1550. 				if extClient.DeviceID == deviceID {
    1551. 

  1551. 					gwClient = extClient
    1552. 

  1552. 					found = true
    1553. 

  1553. 					break
    1554. 

  1554. 				}
    1555. 

  1555. 			}
    1556. 

  1556. 		}
    1557. 

  1557. 

  1558. 		if !found && req.RemoteAccessClientID != "" {
    1559. 

  1559. 			for _, extClient := range extClients {
    1560. 

  1560. 				if extClient.RemoteAccessClientID == req.RemoteAccessClientID {
    1561. 

  1561. 					gwClient = extClient
    1562. 

  1562. 					found = true
    1563. 

  1563. 					break
    1564. 

  1564. 				}
    1565. 

  1565. 			}
    1566. 

  1566. 		}
    1567. 

  1567. 

  1568. 		if !found && len(extClients) > 0 && deviceID == "" {
    1569. 

  1569. 			// TODO: prevent ip clashes.
    1570. 

  1570. 			gwClient = extClients[0]
    1571. 

  1571. 		}
    1572. 

  1572. 

  1573. 		host, err := logic.GetHost(node.HostID.String())
    1574. 

  1574. 		if err != nil {
    1575. 

  1575. 			continue
    1576. 

  1576. 		}
    1577. 

  1577. 		network, err := logic.GetNetwork(node.Network)
    1578. 

  1578. 		if err != nil {
    1579. 

  1579. 			slog.Error("failed to get node network", "error", err)
    1580. 

  1580. 			continue
    1581. 

  1581. 		}
    1582. 

  1582. 		nodesWithStatus := logic.AddStatusToNodes([]models.Node{node}, false)
    1583. 

  1583. 		if len(nodesWithStatus) > 0 {
    1584. 

  1584. 			node = nodesWithStatus[0]
    1585. 

  1585. 		}
    1586. 

  1586. 

  1587. 		gws := userGws[node.Network]
    1588. 

  1588. 		if gwClient.DNS == "" {
    1589. 

  1589. 			logic.SetDNSOnWgConfig(&node, &gwClient)
    1590. 

  1590. 		}
    1591. 

  1591. 

  1592. 		gwClient.IngressGatewayEndpoint = utils.GetExtClientEndpoint(
    1593. 

  1593. 			host.EndpointIP,
    1594. 

  1594. 			host.EndpointIPv6,
    1595. 

  1595. 			logic.GetPeerListenPort(host),
    1596. 

  1596. 		)
    1597. 

  1597. 		gwClient.AllowedIPs = logic.GetExtclientAllowedIPs(gwClient)
    1598. 

  1598. 		gw := models.UserRemoteGws{
    1599. 

  1599. 			GwID:              node.ID.String(),
    1600. 

  1600. 			GWName:            host.Name,
    1601. 

  1601. 			Network:           node.Network,
    1602. 

  1602. 			GwClient:          gwClient,
    1603. 

  1603. 			Connected:         true,
    1604. 

  1604. 			IsInternetGateway: node.IsInternetGateway,
    1605. 

  1605. 			GwPeerPublicKey:   host.PublicKey.String(),
    1606. 

  1606. 			GwListenPort:      logic.GetPeerListenPort(host),
    1607. 

  1607. 			Metadata:          node.Metadata,
    1608. 

  1608. 			AllowedEndpoints:  getAllowedRagEndpoints(&node, host),
    1609. 

  1609. 			NetworkAddresses:  []string{network.AddressRange, network.AddressRange6},
    1610. 

  1610. 			Status:            node.Status,
    1611. 

  1611. 			ManageDNS:         host.DNS == "yes",
    1612. 

  1612. 			DnsAddress:        node.IngressDNS,
    1613. 

  1613. 			Addresses:         utils.NoEmptyStringToCsv(node.Address.String(), node.Address6.String()),
    1614. 

  1614. 		}
    1615. 

  1615. 		if !node.IsInternetGateway {
    1616. 

  1616. 			hNs := logic.GetNameserversForNode(&node)
    1617. 

  1617. 			for _, nsI := range hNs {
    1618. 

  1618. 				gw.MatchDomains = append(gw.MatchDomains, nsI.MatchDomain)
    1619. 

  1619. 				if nsI.IsSearchDomain {
    1620. 

  1620. 					gw.SearchDomains = append(gw.SearchDomains, nsI.MatchDomain)
    1621. 

  1621. 				}
    1622. 

  1622. 			}
    1623. 

  1623. 		}
    1624. 

  1624. 		gw.MatchDomains = append(gw.MatchDomains, logic.GetEgressDomainsByAccess(user, models.NetworkID(node.Network))...)
    1625. 

  1625. 		gws = append(gws, gw)
    1626. 

  1626. 		userGws[node.Network] = gws
    1627. 

  1627. 		delete(userGwNodes, node.ID.String())
    1628. 

  1628. 	}
    1629. 

  1629. 

  1630. 	// add remaining gw nodes to resp
    1631. 

  1631. 	for gwID := range userGwNodes {
    1632. 

  1632. 		node, err := logic.GetNodeByID(gwID)
    1633. 

  1633. 		if err != nil {
    1634. 

  1634. 			continue
    1635. 

  1635. 		}
    1636. 

  1636. 		if !node.IsIngressGateway {
    1637. 

  1637. 			continue
    1638. 

  1638. 		}
    1639. 

  1639. 		if node.PendingDelete {
    1640. 

  1640. 			continue
    1641. 

  1641. 		}
    1642. 

  1642. 		host, err := logic.GetHost(node.HostID.String())
    1643. 

  1643. 		if err != nil {
    1644. 

  1644. 			continue
    1645. 

  1645. 		}
    1646. 

  1646. 		nodesWithStatus := logic.AddStatusToNodes([]models.Node{node}, false)
    1647. 

  1647. 		if len(nodesWithStatus) > 0 {
    1648. 

  1648. 			node = nodesWithStatus[0]
    1649. 

  1649. 		}
    1650. 

  1650. 		network, err := logic.GetNetwork(node.Network)
    1651. 

  1651. 		if err != nil {
    1652. 

  1652. 			slog.Error("failed to get node network", "error", err)
    1653. 

  1653. 		}
    1654. 

  1654. 		gws := userGws[node.Network]
    1655. 

  1655. 		gw := models.UserRemoteGws{
    1656. 

  1656. 			GwID:              node.ID.String(),
    1657. 

  1657. 			GWName:            host.Name,
    1658. 

  1658. 			Network:           node.Network,
    1659. 

  1659. 			IsInternetGateway: node.IsInternetGateway,
    1660. 

  1660. 			GwPeerPublicKey:   host.PublicKey.String(),
    1661. 

  1661. 			GwListenPort:      logic.GetPeerListenPort(host),
    1662. 

  1662. 			Metadata:          node.Metadata,
    1663. 

  1663. 			AllowedEndpoints:  getAllowedRagEndpoints(&node, host),
    1664. 

  1664. 			NetworkAddresses:  []string{network.AddressRange, network.AddressRange6},
    1665. 

  1665. 			Status:            node.Status,
    1666. 

  1666. 			ManageDNS:         host.DNS == "yes",
    1667. 

  1667. 			DnsAddress:        node.IngressDNS,
    1668. 

  1668. 			Addresses:         utils.NoEmptyStringToCsv(node.Address.String(), node.Address6.String()),
    1669. 

  1669. 		}
    1670. 

  1670. 		if !node.IsInternetGateway {
    1671. 

  1671. 			hNs := logic.GetNameserversForNode(&node)
    1672. 

  1672. 			for _, nsI := range hNs {
    1673. 

  1673. 				gw.MatchDomains = append(gw.MatchDomains, nsI.MatchDomain)
    1674. 

  1674. 				if nsI.IsSearchDomain {
    1675. 

  1675. 					gw.SearchDomains = append(gw.SearchDomains, nsI.MatchDomain)
    1676. 

  1676. 				}
    1677. 

  1677. 			}
    1678. 

  1678. 		}
    1679. 

  1679. 		gw.MatchDomains = append(gw.MatchDomains, logic.GetEgressDomainsByAccess(user, models.NetworkID(node.Network))...)
    1680. 

  1680. 		gws = append(gws, gw)
    1681. 

  1681. 		userGws[node.Network] = gws
    1682. 

  1682. 	}
    1683. 

  1683. 

  1684. 	if reqFromMobile {
    1685. 

  1685. 		// send resp in array format
    1686. 

  1686. 		userGwsArr := []models.UserRemoteGws{}
    1687. 

  1687. 		for _, userGwI := range userGws {
    1688. 

  1688. 			userGwsArr = append(userGwsArr, userGwI...)
    1689. 

  1689. 		}
    1690. 

  1690. 		logic.ReturnSuccessResponseWithJson(w, r, userGwsArr, "fetched gateways for user"+username)
    1691. 

  1691. 		return
    1692. 

  1692. 	}
    1693. 

  1693. 	slog.Debug("returned user gws", "user", username, "gws", userGws)
    1694. 

  1694. 	w.WriteHeader(http.StatusOK)
    1695. 

  1695. 	json.NewEncoder(w).Encode(userGws)
    1696. 

  1696. }
    1697. 

  1697. 

  1698. // @Summary     List users attached to an remote access gateway
    1699. 

  1699. // @Router      /api/nodes/{network}/{nodeid}/ingress/users [get]
    1700. 

  1700. // @Tags        PRO
    1701. 

  1701. // @Accept      json
    1702. 

  1702. // @Produce     json
    1703. 

  1703. // @Param       ingress_id path string true "Ingress Gateway ID"
    1704. 

  1704. // @Success     200 {array} models.IngressGwUsers
    1705. 

  1705. // @Failure     400 {object} models.ErrorResponse
    1706. 

  1706. // @Failure     500 {object} models.ErrorResponse
    1707. 

  1707. func ingressGatewayUsers(w http.ResponseWriter, r *http.Request) {
    1708. 

  1708. 	w.Header().Set("Content-Type", "application/json")
    1709. 

  1709. 	var params = mux.Vars(r)
    1710. 

  1710. 	ingressID := params["ingress_id"]
    1711. 

  1711. 	node, err := logic.GetNodeByID(ingressID)
    1712. 

  1712. 	if err != nil {
    1713. 

  1713. 		slog.Error("failed to get ingress node", "error", err)
    1714. 

  1714. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1715. 

  1715. 		return
    1716. 

  1716. 	}
    1717. 

  1717. 	gwUsers, err := logic.GetIngressGwUsers(node)
    1718. 

  1718. 	if err != nil {
    1719. 

  1719. 		slog.Error(
    1720. 

  1720. 			"failed to get users on ingress gateway",
    1721. 

  1721. 			"nodeid",
    1722. 

  1722. 			ingressID,
    1723. 

  1723. 			"network",
    1724. 

  1724. 			node.Network,
    1725. 

  1725. 			"user",
    1726. 

  1726. 			r.Header.Get("user"),
    1727. 

  1727. 			"error",
    1728. 

  1728. 			err,
    1729. 

  1729. 		)
    1730. 

  1730. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1731. 

  1731. 		return
    1732. 

  1732. 	}
    1733. 

  1733. 	w.WriteHeader(http.StatusOK)
    1734. 

  1734. 	json.NewEncoder(w).Encode(gwUsers)
    1735. 

  1735. }
    1736. 

  1736. 

  1737. func getAllowedRagEndpoints(ragNode *models.Node, ragHost *models.Host) []string {
    1738. 

  1738. 	endpoints := []string{}
    1739. 

  1739. 	if len(ragHost.EndpointIP) > 0 {
    1740. 

  1740. 		endpoints = append(endpoints, ragHost.EndpointIP.String())
    1741. 

  1741. 	}
    1742. 

  1742. 	if len(ragHost.EndpointIPv6) > 0 {
    1743. 

  1743. 		endpoints = append(endpoints, ragHost.EndpointIPv6.String())
    1744. 

  1744. 	}
    1745. 

  1745. 	if servercfg.IsPro {
    1746. 

  1746. 		for _, ip := range ragNode.AdditionalRagIps {
    1747. 

  1747. 			endpoints = append(endpoints, ip.String())
    1748. 

  1748. 		}
    1749. 

  1749. 	}
    1750. 

  1750. 	return endpoints
    1751. 

  1751. }
    1752. 

  1752. 

  1753. // @Summary     Get all pending users
    1754. 

  1754. // @Router      /api/users_pending [get]
    1755. 

  1755. // @Tags        Users
    1756. 

  1756. // @Success     200 {array} models.User
    1757. 

  1757. // @Failure     500 {object} models.ErrorResponse
    1758. 

  1758. func getPendingUsers(w http.ResponseWriter, r *http.Request) {
    1759. 

  1759. 	// set header.
    1760. 

  1760. 	w.Header().Set("Content-Type", "application/json")
    1761. 

  1761. 

  1762. 	users, err := logic.ListPendingReturnUsers()
    1763. 

  1763. 	if err != nil {
    1764. 

  1764. 		logger.Log(0, "failed to fetch users: ", err.Error())
    1765. 

  1765. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1766. 

  1766. 		return
    1767. 

  1767. 	}
    1768. 

  1768. 

  1769. 	logic.SortUsers(users[:])
    1770. 

  1770. 	logger.Log(2, r.Header.Get("user"), "fetched pending users")
    1771. 

  1771. 	json.NewEncoder(w).Encode(users)
    1772. 

  1772. }
    1773. 

  1773. 

  1774. // @Summary     Approve a pending user
    1775. 

  1775. // @Router      /api/users_pending/user/{username} [post]
    1776. 

  1776. // @Tags        Users
    1777. 

  1777. // @Param       username path string true "Username of the pending user to approve"
    1778. 

  1778. // @Success     200 {string} string
    1779. 

  1779. // @Failure     500 {object} models.ErrorResponse
    1780. 

  1780. func approvePendingUser(w http.ResponseWriter, r *http.Request) {
    1781. 

  1781. 	// set header.
    1782. 

  1782. 	w.Header().Set("Content-Type", "application/json")
    1783. 

  1783. 	var params = mux.Vars(r)
    1784. 

  1784. 	username := params["username"]
    1785. 

  1785. 	users, err := logic.ListPendingUsers()
    1786. 

  1786. 

  1787. 	if err != nil {
    1788. 

  1788. 		logger.Log(0, "failed to fetch users: ", err.Error())
    1789. 

  1789. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1790. 

  1790. 		return
    1791. 

  1791. 	}
    1792. 

  1792. 	for _, user := range users {
    1793. 

  1793. 		if user.UserName == username {
    1794. 

  1794. 			var newPass, fetchErr = logic.FetchPassValue("")
    1795. 

  1795. 			if fetchErr != nil {
    1796. 

  1796. 				logic.ReturnErrorResponse(w, r, logic.FormatError(fetchErr, "internal"))
    1797. 

  1797. 				return
    1798. 

  1798. 			}
    1799. 

  1799. 			if err = logic.CreateUser(&models.User{
    1800. 

  1800. 				UserName:                   user.UserName,
    1801. 

  1801. 				ExternalIdentityProviderID: user.ExternalIdentityProviderID,
    1802. 

  1802. 				Password:                   newPass,
    1803. 

  1803. 				AuthType:                   user.AuthType,
    1804. 

  1804. 				PlatformRoleID:             models.ServiceUser,
    1805. 

  1805. 			}); err != nil {
    1806. 

  1806. 				logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to create user: %s", err), "internal"))
    1807. 

  1807. 				return
    1808. 

  1808. 			}
    1809. 

  1809. 			err = logic.DeletePendingUser(username)
    1810. 

  1810. 			if err != nil {
    1811. 

  1811. 				logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to delete pending user: %s", err), "internal"))
    1812. 

  1812. 				return
    1813. 

  1813. 			}
    1814. 

  1814. 			break
    1815. 

  1815. 		}
    1816. 

  1816. 	}
    1817. 

  1817. 	logic.LogEvent(&models.Event{
    1818. 

  1818. 		Action: models.Create,
    1819. 

  1819. 		Source: models.Subject{
    1820. 

  1820. 			ID:   r.Header.Get("user"),
    1821. 

  1821. 			Name: r.Header.Get("user"),
    1822. 

  1822. 			Type: models.UserSub,
    1823. 

  1823. 		},
    1824. 

  1824. 		TriggeredBy: r.Header.Get("user"),
    1825. 

  1825. 		Target: models.Subject{
    1826. 

  1826. 			ID:   username,
    1827. 

  1827. 			Name: username,
    1828. 

  1828. 			Type: models.PendingUserSub,
    1829. 

  1829. 		},
    1830. 

  1830. 		Origin: models.Dashboard,
    1831. 

  1831. 	})
    1832. 

  1832. 	logic.ReturnSuccessResponse(w, r, "approved "+username)
    1833. 

  1833. }
    1834. 

  1834. 

  1835. // @Summary     Delete a pending user
    1836. 

  1836. // @Router      /api/users_pending/user/{username} [delete]
    1837. 

  1837. // @Tags        Users
    1838. 

  1838. // @Param       username path string true "Username of the pending user to delete"
    1839. 

  1839. // @Success     200 {string} string
    1840. 

  1840. // @Failure     500 {object} models.ErrorResponse
    1841. 

  1841. func deletePendingUser(w http.ResponseWriter, r *http.Request) {
    1842. 

  1842. 	// set header.
    1843. 

  1843. 	w.Header().Set("Content-Type", "application/json")
    1844. 

  1844. 	var params = mux.Vars(r)
    1845. 

  1845. 	username := params["username"]
    1846. 

  1846. 	users, err := logic.ListPendingReturnUsers()
    1847. 

  1847. 

  1848. 	if err != nil {
    1849. 

  1849. 		logger.Log(0, "failed to fetch users: ", err.Error())
    1850. 

  1850. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
    1851. 

  1851. 		return
    1852. 

  1852. 	}
    1853. 

  1853. 	for _, user := range users {
    1854. 

  1854. 		if user.UserName == username {
    1855. 

  1855. 			err = logic.DeletePendingUser(username)
    1856. 

  1856. 			if err != nil {
    1857. 

  1857. 				logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("failed to delete pending user: %s", err), "internal"))
    1858. 

  1858. 				return
    1859. 

  1859. 			}
    1860. 

  1860. 			break
    1861. 

  1861. 		}
    1862. 

  1862. 	}
    1863. 

  1863. 	logic.LogEvent(&models.Event{
    1864. 

  1864. 		Action: models.Delete,
    1865. 

  1865. 		Source: models.Subject{
    1866. 

  1866. 			ID:   r.Header.Get("user"),
    1867. 

  1867. 			Name: r.Header.Get("user"),
    1868. 

  1868. 			Type: models.UserSub,
    1869. 

  1869. 		},
    1870. 

  1870. 		TriggeredBy: r.Header.Get("user"),
    1871. 

  1871. 		Target: models.Subject{
    1872. 

  1872. 			ID:   username,
    1873. 

  1873. 			Name: username,
    1874. 

  1874. 			Type: models.PendingUserSub,
    1875. 

  1875. 		},
    1876. 

  1876. 		Origin: models.Dashboard,
    1877. 

  1877. 		Diff: models.Diff{
    1878. 

  1878. 			Old: models.User{
    1879. 

  1879. 				UserName: username,
    1880. 

  1880. 			},
    1881. 

  1881. 			New: nil,
    1882. 

  1882. 		},
    1883. 

  1883. 	})
    1884. 

  1884. 	logic.ReturnSuccessResponse(w, r, "deleted pending "+username)
    1885. 

  1885. }
    1886. 

  1886. 

  1887. // @Summary     Delete all pending users
    1888. 

  1888. // @Router      /api/users_pending [delete]
    1889. 

  1889. // @Tags        Users
    1890. 

  1890. // @Success     200 {string} string
    1891. 

  1891. // @Failure     500 {object} models.ErrorResponse
    1892. 

  1892. func deleteAllPendingUsers(w http.ResponseWriter, r *http.Request) {
    1893. 

  1893. 	// set header.
    1894. 

  1894. 	err := database.DeleteAllRecords(database.PENDING_USERS_TABLE_NAME)
    1895. 

  1895. 	if err != nil {
    1896. 

  1896. 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("failed to delete all pending users "+err.Error()), "internal"))
    1897. 

  1897. 		return
    1898. 

  1898. 	}
    1899. 

  1899. 	logic.LogEvent(&models.Event{
    1900. 

  1900. 		Action: models.DeleteAll,
    1901. 

  1901. 		Source: models.Subject{
    1902. 

  1902. 			ID:   r.Header.Get("user"),
    1903. 

  1903. 			Name: r.Header.Get("user"),
    1904. 

  1904. 			Type: models.UserSub,
    1905. 

  1905. 		},
    1906. 

  1906. 		TriggeredBy: r.Header.Get("user"),
    1907. 

  1907. 		Target: models.Subject{
    1908. 

  1908. 			ID:   r.Header.Get("user"),
    1909. 

  1909. 			Name: r.Header.Get("user"),
    1910. 

  1910. 			Type: models.PendingUserSub,
    1911. 

  1911. 		},
    1912. 

  1912. 		Origin: models.Dashboard,
    1913. 

  1913. 	})
    1914. 

  1914. 	logic.ReturnSuccessResponse(w, r, "cleared all pending users")
    1915. 

  1915. }
    1916. 

  1916. 

  1917. // @Summary     Sync users and groups from idp.
    1918. 

  1918. // @Router      /api/idp/sync [post]
    1919. 

  1919. // @Tags        IDP
    1920. 

  1920. // @Success     200 {object} models.SuccessResponse
    1921. 

  1921. func syncIDP(w http.ResponseWriter, r *http.Request) {
    1922. 

  1922. 	go func() {
    1923. 

  1923. 		err := proAuth.SyncFromIDP()
    1924. 

  1924. 		if err != nil {
    1925. 

  1925. 			logger.Log(0, "failed to sync from idp: ", err.Error())
    1926. 

  1926. 		} else {
    1927. 

  1927. 			logger.Log(0, "sync from idp complete")
    1928. 

  1928. 		}
    1929. 

  1929. 	}()
    1930. 

  1930. 

  1931. 	logic.ReturnSuccessResponse(w, r, "starting sync from idp")
    1932. 

  1932. }
    1933. 

  1933. 

  1934. // @Summary     Test IDP Sync Credentials.
    1935. 

  1935. // @Router      /api/idp/sync/test [post]
    1936. 

  1936. // @Tags        IDP
    1937. 

  1937. // @Success     200 {object} models.SuccessResponse
    1938. 

  1938. // @Failure     400 {object} models.ErrorResponse
    1939. 

  1939. func testIDPSync(w http.ResponseWriter, r *http.Request) {
    1940. 

  1940. 	var req models.IDPSyncTestRequest
    1941. 

  1941. 	err := json.NewDecoder(r.Body).Decode(&req)
    1942. 

  1942. 	if err != nil {
    1943. 

  1943. 		err = fmt.Errorf("failed to decode request body: %v", err)
    1944. 

  1944. 		logger.Log(0, err.Error())
    1945. 

  1945. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1946. 

  1946. 		return
    1947. 

  1947. 	}
    1948. 

  1948. 

  1949. 	var idpClient idp.Client
    1950. 

  1950. 	switch req.AuthProvider {
    1951. 

  1951. 	case "google":
    1952. 

  1952. 		idpClient, err = google.NewGoogleWorkspaceClient(req.GoogleAdminEmail, req.GoogleSACredsJson)
    1953. 

  1953. 		if err != nil {
    1954. 

  1954. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1955. 

  1955. 			return
    1956. 

  1956. 		}
    1957. 

  1957. 	case "azure-ad":
    1958. 

  1958. 		idpClient = azure.NewAzureEntraIDClient(req.ClientID, req.ClientSecret, req.AzureTenantID)
    1959. 

  1959. 	case "okta":
    1960. 

  1960. 		idpClient, err = okta.NewOktaClient(req.OktaOrgURL, req.OktaAPIToken)
    1961. 

  1961. 		if err != nil {
    1962. 

  1962. 			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1963. 

  1963. 			return
    1964. 

  1964. 		}
    1965. 

  1965. 	default:
    1966. 

  1966. 		err = fmt.Errorf("invalid auth provider: %s", req.AuthProvider)
    1967. 

  1967. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1968. 

  1968. 		return
    1969. 

  1969. 	}
    1970. 

  1970. 

  1971. 	err = idpClient.Verify()
    1972. 

  1972. 	if err != nil {
    1973. 

  1973. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    1974. 

  1974. 		return
    1975. 

  1975. 	}
    1976. 

  1976. 

  1977. 	logic.ReturnSuccessResponse(w, r, "idp sync test successful")
    1978. 

  1978. }
    1979. 

  1979. 

  1980. // @Summary     Gets idp sync status.
    1981. 

  1981. // @Router      /api/idp/sync/status [get]
    1982. 

  1982. // @Tags        IDP
    1983. 

  1983. // @Success     200 {object} models.SuccessResponse
    1984. 

  1984. func getIDPSyncStatus(w http.ResponseWriter, r *http.Request) {
    1985. 

  1985. 	logic.ReturnSuccessResponseWithJson(w, r, proAuth.GetIDPSyncStatus(), "idp sync status retrieved")
    1986. 

  1986. }
    1987. 

  1987. 

  1988. // @Summary     Remove idp integration.
    1989. 

  1989. // @Router      /api/idp [delete]
    1990. 

  1990. // @Tags        IDP
    1991. 

  1991. // @Success     200 {object} models.SuccessResponse
    1992. 

  1992. // @Failure     500 {object} models.ErrorResponse
    1993. 

  1993. func removeIDPIntegration(w http.ResponseWriter, r *http.Request) {
    1994. 

  1994. 	superAdmin, err := logic.GetSuperAdmin()
    1995. 

  1995. 	if err != nil {
    1996. 

  1996. 		logic.ReturnErrorResponse(
    1997. 

  1997. 			w,
    1998. 

  1998. 			r,
    1999. 

  1999. 			logic.FormatError(fmt.Errorf("failed to get superadmin: %v", err), "internal"),
    2000. 

  2000. 		)
    2001. 

  2001. 		return
    2002. 

  2002. 	}
    2003. 

  2003. 

  2004. 	if superAdmin.AuthType == models.OAuth {
    2005. 

  2005. 		err := fmt.Errorf(
    2006. 

  2006. 			"cannot remove IdP integration because an OAuth user has the super-admin role; transfer the super-admin role to another user first",
    2007. 

  2007. 		)
    2008. 

  2008. 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
    2009. 

  2009. 		return
    2010. 

  2010. 	}
    2011. 

  2011. 

  2012. 	settings := logic.GetServerSettings()
    2013. 

  2013. 	settings.AuthProvider = ""
    2014. 

  2014. 	settings.OIDCIssuer = ""
    2015. 

  2015. 	settings.ClientID = ""
    2016. 

  2016. 	settings.ClientSecret = ""
    2017. 

  2017. 	settings.SyncEnabled = false
    2018. 

  2018. 	settings.GoogleAdminEmail = ""
    2019. 

  2019. 	settings.GoogleSACredsJson = ""
    2020. 

  2020. 	settings.AzureTenant = ""
    2021. 

  2021. 	settings.UserFilters = nil
    2022. 

  2022. 	settings.GroupFilters = nil
    2023. 

  2023. 

  2024. 	err = logic.UpsertServerSettings(settings)
    2025. 

  2025. 	if err != nil {
    2026. 

  2026. 		logic.ReturnErrorResponse(
    2027. 

  2027. 			w,
    2028. 

  2028. 			r,
    2029. 

  2029. 			logic.FormatError(fmt.Errorf("failed to remove idp integration: %v", err), "internal"),
    2030. 

  2030. 		)
    2031. 

  2031. 		return
    2032. 

  2032. 	}
    2033. 

  2033. 

  2034. 	proAuth.ResetAuthProvider()
    2035. 

  2035. 	proAuth.ResetIDPSyncHook()
    2036. 

  2036. 

  2037. 	go func() {
    2038. 

  2038. 		err := proAuth.SyncFromIDP()
    2039. 

  2039. 		if err != nil {
    2040. 

  2040. 			logger.Log(0, "failed to sync from idp: ", err.Error())
    2041. 

  2041. 		} else {
    2042. 

  2042. 			logger.Log(0, "sync from idp complete")
    2043. 

  2043. 		}
    2044. 

  2044. 	}()
    2045. 

  2045. 

  2046. 	logic.ReturnSuccessResponse(w, r, "removed idp integration successfully")
    2047. 

  2047. }
    2048.