2021-03-26 00:17:52 +08:00
|
|
|
package controller
|
|
|
|
|
|
|
|
import (
|
2021-04-18 02:03:01 +08:00
|
|
|
"encoding/json"
|
|
|
|
"errors"
|
2021-10-26 02:51:52 +08:00
|
|
|
"fmt"
|
2021-04-18 02:03:01 +08:00
|
|
|
"net/http"
|
|
|
|
|
|
|
|
"github.com/gorilla/mux"
|
2022-09-14 03:25:56 +08:00
|
|
|
"github.com/gorilla/websocket"
|
2021-10-22 03:28:58 +08:00
|
|
|
"github.com/gravitl/netmaker/auth"
|
2021-12-07 04:31:08 +08:00
|
|
|
"github.com/gravitl/netmaker/logger"
|
2021-10-22 03:28:58 +08:00
|
|
|
"github.com/gravitl/netmaker/logic"
|
2021-04-18 02:03:01 +08:00
|
|
|
"github.com/gravitl/netmaker/models"
|
2023-10-02 12:57:58 +08:00
|
|
|
"github.com/gravitl/netmaker/mq"
|
2022-09-14 03:25:56 +08:00
|
|
|
"github.com/gravitl/netmaker/servercfg"
|
2023-09-01 16:57:08 +08:00
|
|
|
"golang.org/x/exp/slog"
|
2022-09-14 03:25:56 +08:00
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
|
|
|
upgrader = websocket.Upgrader{}
|
2021-03-26 00:17:52 +08:00
|
|
|
)
|
|
|
|
|
|
|
|
func userHandlers(r *mux.Router) {
|
2023-09-01 16:57:08 +08:00
|
|
|
r.HandleFunc("/api/users/adm/hassuperadmin", hasSuperAdmin).Methods(http.MethodGet)
|
|
|
|
r.HandleFunc("/api/users/adm/createsuperadmin", createSuperAdmin).Methods(http.MethodPost)
|
|
|
|
r.HandleFunc("/api/users/adm/transfersuperadmin/{username}", logic.SecurityCheck(true, http.HandlerFunc(transferSuperAdmin))).Methods(http.MethodPost)
|
2022-12-23 22:49:08 +08:00
|
|
|
r.HandleFunc("/api/users/adm/authenticate", authenticateUser).Methods(http.MethodPost)
|
2023-09-01 16:57:08 +08:00
|
|
|
r.HandleFunc("/api/users/{username}", logic.SecurityCheck(true, http.HandlerFunc(updateUser))).Methods(http.MethodPut)
|
2023-08-09 01:47:49 +08:00
|
|
|
r.HandleFunc("/api/users/{username}", logic.SecurityCheck(true, checkFreeTierLimits(limitChoiceUsers, http.HandlerFunc(createUser)))).Methods(http.MethodPost)
|
2022-12-23 22:49:08 +08:00
|
|
|
r.HandleFunc("/api/users/{username}", logic.SecurityCheck(true, http.HandlerFunc(deleteUser))).Methods(http.MethodDelete)
|
|
|
|
r.HandleFunc("/api/users/{username}", logic.SecurityCheck(false, logic.ContinueIfUserMatch(http.HandlerFunc(getUser)))).Methods(http.MethodGet)
|
|
|
|
r.HandleFunc("/api/users", logic.SecurityCheck(true, http.HandlerFunc(getUsers))).Methods(http.MethodGet)
|
|
|
|
r.HandleFunc("/api/oauth/login", auth.HandleAuthLogin).Methods(http.MethodGet)
|
|
|
|
r.HandleFunc("/api/oauth/callback", auth.HandleAuthCallback).Methods(http.MethodGet)
|
2023-01-02 15:48:40 +08:00
|
|
|
r.HandleFunc("/api/oauth/headless", auth.HandleHeadlessSSO)
|
2023-04-13 23:36:13 +08:00
|
|
|
r.HandleFunc("/api/oauth/register/{regKey}", auth.RegisterHostSSO).Methods(http.MethodGet)
|
2021-03-26 00:17:52 +08:00
|
|
|
}
|
|
|
|
|
2023-10-04 14:26:38 +08:00
|
|
|
// swagger:route POST /api/users/adm/authenticate authenticate authenticateUser
|
2022-09-06 20:20:24 +08:00
|
|
|
//
|
2023-10-04 14:26:38 +08:00
|
|
|
// User authenticates using its password and retrieves a JWT for authorization.
|
2022-09-06 20:20:24 +08:00
|
|
|
//
|
2023-01-02 15:48:40 +08:00
|
|
|
// Schemes: https
|
2022-09-06 20:20:24 +08:00
|
|
|
//
|
2023-01-02 15:48:40 +08:00
|
|
|
// Security:
|
|
|
|
// oauth
|
2022-09-06 20:20:24 +08:00
|
|
|
//
|
2023-01-02 15:48:40 +08:00
|
|
|
// Responses:
|
|
|
|
// 200: successResponse
|
2021-03-26 00:17:52 +08:00
|
|
|
func authenticateUser(response http.ResponseWriter, request *http.Request) {
|
|
|
|
|
2021-10-16 20:01:38 +08:00
|
|
|
// Auth request consists of Mac Address and Password (from node that is authorizing
|
|
|
|
// in case of Master, auth is ignored and mac is set to "mastermac"
|
2021-04-18 02:03:01 +08:00
|
|
|
var authRequest models.UserAuthParams
|
|
|
|
var errorResponse = models.ErrorResponse{
|
|
|
|
Code: http.StatusInternalServerError, Message: "W1R3: It's not you it's me.",
|
|
|
|
}
|
|
|
|
|
2022-09-14 03:25:56 +08:00
|
|
|
if !servercfg.IsBasicAuthEnabled() {
|
2022-09-15 01:26:31 +08:00
|
|
|
logic.ReturnErrorResponse(response, request, logic.FormatError(fmt.Errorf("basic auth is disabled"), "badrequest"))
|
2022-09-14 03:25:56 +08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-04-18 02:03:01 +08:00
|
|
|
decoder := json.NewDecoder(request.Body)
|
|
|
|
decoderErr := decoder.Decode(&authRequest)
|
|
|
|
defer request.Body.Close()
|
|
|
|
if decoderErr != nil {
|
2022-07-12 18:49:49 +08:00
|
|
|
logger.Log(0, "error decoding request body: ",
|
|
|
|
decoderErr.Error())
|
2022-09-15 01:26:31 +08:00
|
|
|
logic.ReturnErrorResponse(response, request, errorResponse)
|
2021-03-27 04:13:51 +08:00
|
|
|
return
|
2021-04-30 06:14:13 +08:00
|
|
|
}
|
2023-12-20 13:08:55 +08:00
|
|
|
if val := request.Header.Get("From-Ui"); val == "true" {
|
|
|
|
// request came from UI, if normal user block Login
|
|
|
|
user, err := logic.GetUser(authRequest.UserName)
|
|
|
|
if err != nil {
|
|
|
|
logger.Log(0, authRequest.UserName, "user validation failed: ",
|
|
|
|
err.Error())
|
|
|
|
logic.ReturnErrorResponse(response, request, logic.FormatError(err, "unauthorized"))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if !(user.IsAdmin || user.IsSuperAdmin) {
|
|
|
|
logic.ReturnErrorResponse(response, request, logic.FormatError(errors.New("only admins can access dashboard"), "unauthorized"))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
2022-07-12 18:49:49 +08:00
|
|
|
username := authRequest.UserName
|
2021-10-22 08:32:23 +08:00
|
|
|
jwt, err := logic.VerifyAuthRequest(authRequest)
|
2021-04-30 06:14:13 +08:00
|
|
|
if err != nil {
|
2022-07-12 18:49:49 +08:00
|
|
|
logger.Log(0, username, "user validation failed: ",
|
|
|
|
err.Error())
|
2022-09-15 01:26:31 +08:00
|
|
|
logic.ReturnErrorResponse(response, request, logic.FormatError(err, "badrequest"))
|
2021-04-30 23:30:19 +08:00
|
|
|
return
|
2021-04-30 06:14:13 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
if jwt == "" {
|
2021-10-16 20:01:38 +08:00
|
|
|
// very unlikely that err is !nil and no jwt returned, but handle it anyways.
|
2022-07-12 18:49:49 +08:00
|
|
|
logger.Log(0, username, "jwt token is empty")
|
2022-09-15 01:26:31 +08:00
|
|
|
logic.ReturnErrorResponse(response, request, logic.FormatError(errors.New("no token returned"), "internal"))
|
2021-04-30 06:14:13 +08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
var successResponse = models.SuccessResponse{
|
|
|
|
Code: http.StatusOK,
|
2021-07-19 23:30:27 +08:00
|
|
|
Message: "W1R3: Device " + username + " Authorized",
|
2021-04-30 06:14:13 +08:00
|
|
|
Response: models.SuccessfulUserLoginResponse{
|
|
|
|
AuthToken: jwt,
|
2021-07-19 23:30:27 +08:00
|
|
|
UserName: username,
|
2021-04-30 06:14:13 +08:00
|
|
|
},
|
|
|
|
}
|
2021-10-16 20:01:38 +08:00
|
|
|
// Send back the JWT
|
2021-04-30 06:14:13 +08:00
|
|
|
successJSONResponse, jsonError := json.Marshal(successResponse)
|
|
|
|
if jsonError != nil {
|
2022-07-12 18:49:49 +08:00
|
|
|
logger.Log(0, username,
|
|
|
|
"error marshalling resp: ", err.Error())
|
2022-09-15 01:26:31 +08:00
|
|
|
logic.ReturnErrorResponse(response, request, errorResponse)
|
2021-04-30 06:14:13 +08:00
|
|
|
return
|
2021-03-26 00:17:52 +08:00
|
|
|
}
|
2021-12-07 04:31:08 +08:00
|
|
|
logger.Log(2, username, "was authenticated")
|
2021-04-30 06:14:13 +08:00
|
|
|
response.Header().Set("Content-Type", "application/json")
|
|
|
|
response.Write(successJSONResponse)
|
2023-10-02 12:57:58 +08:00
|
|
|
|
|
|
|
go func() {
|
|
|
|
if servercfg.IsPro && servercfg.GetRacAutoDisable() {
|
|
|
|
// enable all associeated clients for the user
|
|
|
|
clients, err := logic.GetAllExtClients()
|
|
|
|
if err != nil {
|
|
|
|
slog.Error("error getting clients: ", "error", err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
for _, client := range clients {
|
|
|
|
if client.OwnerID == username && !client.Enabled {
|
|
|
|
slog.Info(fmt.Sprintf("enabling ext client %s for user %s due to RAC autodisabling feature", client.ClientID, client.OwnerID))
|
|
|
|
if newClient, err := logic.ToggleExtClientConnectivity(&client, true); err != nil {
|
2023-12-20 13:08:55 +08:00
|
|
|
slog.Error("error enabling ext client in RAC autodisable hook", "error", err)
|
2023-10-02 12:57:58 +08:00
|
|
|
continue // dont return but try for other clients
|
|
|
|
} else {
|
|
|
|
// publish peer update to ingress gateway
|
|
|
|
if ingressNode, err := logic.GetNodeByID(newClient.IngressGatewayID); err == nil {
|
|
|
|
if err = mq.PublishPeerUpdate(); err != nil {
|
|
|
|
slog.Error("error updating ext clients on", "ingress", ingressNode.ID.String(), "err", err.Error())
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}()
|
2021-04-30 06:14:13 +08:00
|
|
|
}
|
|
|
|
|
2023-09-01 16:57:08 +08:00
|
|
|
// swagger:route GET /api/users/adm/hassuperadmin user hasSuperAdmin
|
2022-09-06 20:20:24 +08:00
|
|
|
//
|
|
|
|
// Checks whether the server has an admin.
|
|
|
|
//
|
2023-01-02 15:48:40 +08:00
|
|
|
// Schemes: https
|
2022-09-06 20:20:24 +08:00
|
|
|
//
|
2023-01-02 15:48:40 +08:00
|
|
|
// Security:
|
|
|
|
// oauth
|
2022-09-11 12:51:59 +08:00
|
|
|
//
|
2023-01-02 15:48:40 +08:00
|
|
|
// Responses:
|
2023-10-04 14:26:38 +08:00
|
|
|
// 200: hasAdmin
|
2023-09-01 16:57:08 +08:00
|
|
|
func hasSuperAdmin(w http.ResponseWriter, r *http.Request) {
|
2021-03-26 00:17:52 +08:00
|
|
|
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
|
|
|
2023-09-01 16:57:08 +08:00
|
|
|
hasSuperAdmin, err := logic.HasSuperAdmin()
|
2021-08-10 01:30:40 +08:00
|
|
|
if err != nil {
|
2022-07-12 18:49:49 +08:00
|
|
|
logger.Log(0, "failed to check for admin: ", err.Error())
|
2022-09-15 01:26:31 +08:00
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
2021-08-10 01:30:40 +08:00
|
|
|
return
|
2021-09-06 22:36:14 +08:00
|
|
|
}
|
2021-03-26 00:17:52 +08:00
|
|
|
|
2023-09-01 16:57:08 +08:00
|
|
|
json.NewEncoder(w).Encode(hasSuperAdmin)
|
2021-03-26 00:17:52 +08:00
|
|
|
|
|
|
|
}
|
|
|
|
|
2022-09-15 20:47:48 +08:00
|
|
|
// swagger:route GET /api/users/{username} user getUser
|
2022-09-06 20:20:24 +08:00
|
|
|
//
|
|
|
|
// Get an individual user.
|
|
|
|
//
|
2023-01-02 15:48:40 +08:00
|
|
|
// Schemes: https
|
2022-09-06 20:20:24 +08:00
|
|
|
//
|
2023-01-02 15:48:40 +08:00
|
|
|
// Security:
|
|
|
|
// oauth
|
2022-09-11 12:51:59 +08:00
|
|
|
//
|
2023-01-02 15:48:40 +08:00
|
|
|
// Responses:
|
|
|
|
// 200: userBodyResponse
|
2021-03-26 00:17:52 +08:00
|
|
|
func getUser(w http.ResponseWriter, r *http.Request) {
|
|
|
|
// set header.
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
|
|
|
2021-04-18 02:03:01 +08:00
|
|
|
var params = mux.Vars(r)
|
2021-07-19 23:30:27 +08:00
|
|
|
usernameFetched := params["username"]
|
2023-06-26 13:23:00 +08:00
|
|
|
user, err := logic.GetReturnUser(usernameFetched)
|
2021-03-26 00:17:52 +08:00
|
|
|
|
|
|
|
if err != nil {
|
2022-07-12 18:49:49 +08:00
|
|
|
logger.Log(0, usernameFetched, "failed to fetch user: ", err.Error())
|
2022-09-15 01:26:31 +08:00
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
2021-03-26 00:17:52 +08:00
|
|
|
return
|
|
|
|
}
|
2021-12-07 04:31:08 +08:00
|
|
|
logger.Log(2, r.Header.Get("user"), "fetched user", usernameFetched)
|
2021-03-26 00:17:52 +08:00
|
|
|
json.NewEncoder(w).Encode(user)
|
|
|
|
}
|
|
|
|
|
2022-09-15 20:47:48 +08:00
|
|
|
// swagger:route GET /api/users user getUsers
|
2022-09-06 20:20:24 +08:00
|
|
|
//
|
2022-09-11 12:51:59 +08:00
|
|
|
// Get all users.
|
2022-09-06 20:20:24 +08:00
|
|
|
//
|
2023-01-02 15:48:40 +08:00
|
|
|
// Schemes: https
|
2022-09-06 20:20:24 +08:00
|
|
|
//
|
2023-01-02 15:48:40 +08:00
|
|
|
// Security:
|
|
|
|
// oauth
|
2022-09-11 12:51:59 +08:00
|
|
|
//
|
2023-01-02 15:48:40 +08:00
|
|
|
// Responses:
|
|
|
|
// 200: userBodyResponse
|
2021-07-02 12:03:46 +08:00
|
|
|
func getUsers(w http.ResponseWriter, r *http.Request) {
|
2021-07-15 04:47:05 +08:00
|
|
|
// set header.
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
2021-07-02 12:03:46 +08:00
|
|
|
|
2021-10-22 03:28:58 +08:00
|
|
|
users, err := logic.GetUsers()
|
2021-07-02 12:03:46 +08:00
|
|
|
|
2021-07-15 04:47:05 +08:00
|
|
|
if err != nil {
|
2022-07-12 18:49:49 +08:00
|
|
|
logger.Log(0, "failed to fetch users: ", err.Error())
|
2022-09-15 01:26:31 +08:00
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
2021-07-15 04:47:05 +08:00
|
|
|
return
|
|
|
|
}
|
2021-07-02 12:03:46 +08:00
|
|
|
|
2023-04-04 02:36:38 +08:00
|
|
|
logic.SortUsers(users[:])
|
2021-12-07 04:31:08 +08:00
|
|
|
logger.Log(2, r.Header.Get("user"), "fetched users")
|
2021-07-15 04:47:05 +08:00
|
|
|
json.NewEncoder(w).Encode(users)
|
2021-07-02 12:03:46 +08:00
|
|
|
}
|
|
|
|
|
2023-09-01 16:57:08 +08:00
|
|
|
// swagger:route POST /api/users/adm/createsuperadmin user createAdmin
|
2022-09-06 20:20:24 +08:00
|
|
|
//
|
|
|
|
// Make a user an admin.
|
|
|
|
//
|
2023-01-02 15:48:40 +08:00
|
|
|
// Schemes: https
|
2022-09-06 20:20:24 +08:00
|
|
|
//
|
2023-01-02 15:48:40 +08:00
|
|
|
// Security:
|
|
|
|
// oauth
|
2022-09-11 12:51:59 +08:00
|
|
|
//
|
2023-01-02 15:48:40 +08:00
|
|
|
// Responses:
|
|
|
|
// 200: userBodyResponse
|
2023-09-01 16:57:08 +08:00
|
|
|
func createSuperAdmin(w http.ResponseWriter, r *http.Request) {
|
2021-03-26 00:17:52 +08:00
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
|
|
|
2023-09-01 16:57:08 +08:00
|
|
|
var u models.User
|
2021-10-15 04:36:14 +08:00
|
|
|
|
2023-09-01 16:57:08 +08:00
|
|
|
err := json.NewDecoder(r.Body).Decode(&u)
|
2022-07-12 18:49:49 +08:00
|
|
|
if err != nil {
|
2023-09-01 16:57:08 +08:00
|
|
|
slog.Error("error decoding request body", "error", err.Error())
|
2022-09-15 01:26:31 +08:00
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
2022-07-12 18:49:49 +08:00
|
|
|
return
|
|
|
|
}
|
2021-04-30 23:30:19 +08:00
|
|
|
|
2022-09-14 03:25:56 +08:00
|
|
|
if !servercfg.IsBasicAuthEnabled() {
|
2022-09-15 01:26:31 +08:00
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("basic auth is disabled"), "badrequest"))
|
2022-09-14 03:25:56 +08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2023-09-01 16:57:08 +08:00
|
|
|
err = logic.CreateSuperAdmin(&u)
|
2021-04-18 02:03:01 +08:00
|
|
|
if err != nil {
|
2023-09-01 16:57:08 +08:00
|
|
|
slog.Error("failed to create admin", "error", err.Error())
|
2022-09-15 01:26:31 +08:00
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
2021-04-18 02:03:01 +08:00
|
|
|
return
|
|
|
|
}
|
2023-09-01 16:57:08 +08:00
|
|
|
logger.Log(1, u.UserName, "was made a super admin")
|
|
|
|
json.NewEncoder(w).Encode(logic.ToReturnUser(u))
|
2021-03-26 00:17:52 +08:00
|
|
|
}
|
|
|
|
|
2023-09-01 16:57:08 +08:00
|
|
|
// swagger:route POST /api/users/adm/transfersuperadmin user transferSuperAdmin
|
2022-09-06 20:20:24 +08:00
|
|
|
//
|
2023-09-01 16:57:08 +08:00
|
|
|
// Transfers superadmin role to an admin user.
|
2022-09-06 20:20:24 +08:00
|
|
|
//
|
2023-01-02 15:48:40 +08:00
|
|
|
// Schemes: https
|
2022-09-06 20:20:24 +08:00
|
|
|
//
|
2023-01-02 15:48:40 +08:00
|
|
|
// Security:
|
|
|
|
// oauth
|
2022-09-11 12:51:59 +08:00
|
|
|
//
|
2023-01-02 15:48:40 +08:00
|
|
|
// Responses:
|
|
|
|
// 200: userBodyResponse
|
2023-09-01 16:57:08 +08:00
|
|
|
func transferSuperAdmin(w http.ResponseWriter, r *http.Request) {
|
2021-07-15 04:47:05 +08:00
|
|
|
w.Header().Set("Content-Type", "application/json")
|
2023-09-01 16:57:08 +08:00
|
|
|
caller, err := logic.GetUser(r.Header.Get("user"))
|
2022-07-12 18:49:49 +08:00
|
|
|
if err != nil {
|
2023-09-01 16:57:08 +08:00
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
|
|
|
}
|
|
|
|
if !caller.IsSuperAdmin {
|
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("only superadmin can assign the superadmin role to another user"), "forbidden"))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
var params = mux.Vars(r)
|
|
|
|
username := params["username"]
|
|
|
|
u, err := logic.GetUser(username)
|
|
|
|
if err != nil {
|
|
|
|
slog.Error("error getting user", "user", u.UserName, "error", err.Error())
|
2022-09-15 01:26:31 +08:00
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
2022-07-12 18:49:49 +08:00
|
|
|
return
|
|
|
|
}
|
2023-09-01 16:57:08 +08:00
|
|
|
if !u.IsAdmin {
|
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("only admins can be promoted to superadmin role"), "forbidden"))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if !servercfg.IsBasicAuthEnabled() {
|
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("basic auth is disabled"), "badrequest"))
|
|
|
|
return
|
|
|
|
}
|
2022-09-14 03:25:56 +08:00
|
|
|
|
2023-09-01 16:57:08 +08:00
|
|
|
u.IsSuperAdmin = true
|
|
|
|
u.IsAdmin = false
|
|
|
|
err = logic.UpsertUser(*u)
|
2021-07-15 04:47:05 +08:00
|
|
|
if err != nil {
|
2023-09-01 16:57:08 +08:00
|
|
|
slog.Error("error updating user to superadmin: ", "user", u.UserName, "error", err.Error())
|
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
2021-07-15 04:47:05 +08:00
|
|
|
return
|
|
|
|
}
|
2023-09-01 16:57:08 +08:00
|
|
|
caller.IsSuperAdmin = false
|
|
|
|
caller.IsAdmin = true
|
|
|
|
err = logic.UpsertUser(*caller)
|
|
|
|
if err != nil {
|
|
|
|
slog.Error("error demoting user to admin: ", "user", caller.UserName, "error", err.Error())
|
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
slog.Info("user was made a super admin", "user", u.UserName)
|
|
|
|
json.NewEncoder(w).Encode(logic.ToReturnUser(*u))
|
2021-07-02 12:03:46 +08:00
|
|
|
}
|
|
|
|
|
2023-09-01 16:57:08 +08:00
|
|
|
// swagger:route POST /api/users/{username} user createUser
|
2022-09-06 20:20:24 +08:00
|
|
|
//
|
2023-09-01 16:57:08 +08:00
|
|
|
// Create a user.
|
2022-09-06 20:20:24 +08:00
|
|
|
//
|
2023-01-02 15:48:40 +08:00
|
|
|
// Schemes: https
|
2022-09-06 20:20:24 +08:00
|
|
|
//
|
2023-01-02 15:48:40 +08:00
|
|
|
// Security:
|
|
|
|
// oauth
|
2022-09-11 12:51:59 +08:00
|
|
|
//
|
2023-01-02 15:48:40 +08:00
|
|
|
// Responses:
|
|
|
|
// 200: userBodyResponse
|
2023-09-01 16:57:08 +08:00
|
|
|
func createUser(w http.ResponseWriter, r *http.Request) {
|
2021-10-26 02:51:52 +08:00
|
|
|
w.Header().Set("Content-Type", "application/json")
|
2023-09-01 16:57:08 +08:00
|
|
|
caller, err := logic.GetUser(r.Header.Get("user"))
|
2021-10-26 02:51:52 +08:00
|
|
|
if err != nil {
|
2022-09-15 01:26:31 +08:00
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
2021-10-26 02:51:52 +08:00
|
|
|
}
|
2023-09-01 16:57:08 +08:00
|
|
|
var user models.User
|
|
|
|
err = json.NewDecoder(r.Body).Decode(&user)
|
2021-10-26 02:51:52 +08:00
|
|
|
if err != nil {
|
2023-09-01 16:57:08 +08:00
|
|
|
logger.Log(0, user.UserName, "error decoding request body: ",
|
2022-07-12 18:49:49 +08:00
|
|
|
err.Error())
|
2022-09-15 01:26:31 +08:00
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
2021-10-26 02:51:52 +08:00
|
|
|
return
|
|
|
|
}
|
2023-09-01 16:57:08 +08:00
|
|
|
if !caller.IsSuperAdmin && user.IsAdmin {
|
|
|
|
err = errors.New("only superadmin can create admin users")
|
|
|
|
slog.Error("error creating new user: ", "user", user.UserName, "error", err)
|
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
|
2021-10-26 02:51:52 +08:00
|
|
|
return
|
|
|
|
}
|
2023-09-01 16:57:08 +08:00
|
|
|
if user.IsSuperAdmin {
|
|
|
|
err = errors.New("additional superadmins cannot be created")
|
|
|
|
slog.Error("error creating new user: ", "user", user.UserName, "error", err)
|
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
|
2023-12-01 02:37:00 +08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
if !servercfg.IsPro && !user.IsAdmin {
|
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
|
2023-09-01 16:57:08 +08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
err = logic.CreateUser(&user)
|
2023-06-26 13:23:00 +08:00
|
|
|
if err != nil {
|
2023-09-01 16:57:08 +08:00
|
|
|
slog.Error("error creating new user: ", "user", user.UserName, "error", err.Error())
|
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
2023-05-23 05:57:32 +08:00
|
|
|
return
|
|
|
|
}
|
2023-09-01 16:57:08 +08:00
|
|
|
slog.Info("user was created", "username", user.UserName)
|
|
|
|
json.NewEncoder(w).Encode(logic.ToReturnUser(user))
|
2021-10-26 02:51:52 +08:00
|
|
|
}
|
|
|
|
|
2022-09-15 20:47:48 +08:00
|
|
|
// swagger:route PUT /api/users/{username} user updateUser
|
2022-09-06 20:20:24 +08:00
|
|
|
//
|
|
|
|
// Update a user.
|
|
|
|
//
|
2023-01-02 15:48:40 +08:00
|
|
|
// Schemes: https
|
2022-09-06 20:20:24 +08:00
|
|
|
//
|
2023-01-02 15:48:40 +08:00
|
|
|
// Security:
|
|
|
|
// oauth
|
2022-09-11 12:51:59 +08:00
|
|
|
//
|
2023-01-02 15:48:40 +08:00
|
|
|
// Responses:
|
|
|
|
// 200: userBodyResponse
|
2021-03-26 00:17:52 +08:00
|
|
|
func updateUser(w http.ResponseWriter, r *http.Request) {
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
|
|
var params = mux.Vars(r)
|
2021-10-16 20:01:38 +08:00
|
|
|
// start here
|
2023-09-01 16:57:08 +08:00
|
|
|
var caller *models.User
|
|
|
|
var err error
|
|
|
|
var ismaster bool
|
|
|
|
if r.Header.Get("user") == logic.MasterUser {
|
|
|
|
ismaster = true
|
|
|
|
} else {
|
|
|
|
caller, err = logic.GetUser(r.Header.Get("user"))
|
|
|
|
if err != nil {
|
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
|
|
|
}
|
2023-03-31 03:10:17 +08:00
|
|
|
}
|
2023-09-01 16:57:08 +08:00
|
|
|
|
2021-07-19 23:30:27 +08:00
|
|
|
username := params["username"]
|
2022-12-21 04:10:40 +08:00
|
|
|
user, err := logic.GetUser(username)
|
2021-04-18 02:03:01 +08:00
|
|
|
if err != nil {
|
2022-07-12 18:49:49 +08:00
|
|
|
logger.Log(0, username,
|
|
|
|
"failed to update user info: ", err.Error())
|
2022-09-15 01:26:31 +08:00
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
2021-04-18 02:03:01 +08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
var userchange models.User
|
|
|
|
// we decode our body request params
|
|
|
|
err = json.NewDecoder(r.Body).Decode(&userchange)
|
2021-03-26 00:17:52 +08:00
|
|
|
if err != nil {
|
2023-09-01 16:57:08 +08:00
|
|
|
slog.Error("failed to decode body", "error ", err.Error())
|
2022-09-15 01:26:31 +08:00
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
2021-04-18 02:03:01 +08:00
|
|
|
return
|
|
|
|
}
|
2023-09-01 16:57:08 +08:00
|
|
|
if user.UserName != userchange.UserName {
|
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("user in param and request body not matching"), "badrequest"))
|
2023-03-31 03:10:17 +08:00
|
|
|
return
|
|
|
|
}
|
2023-09-01 16:57:08 +08:00
|
|
|
selfUpdate := false
|
|
|
|
if !ismaster && caller.UserName == user.UserName {
|
|
|
|
selfUpdate = true
|
2021-03-26 00:17:52 +08:00
|
|
|
}
|
|
|
|
|
2023-09-01 16:57:08 +08:00
|
|
|
if !ismaster && !selfUpdate {
|
|
|
|
if caller.IsAdmin && user.IsSuperAdmin {
|
|
|
|
slog.Error("non-superadmin user", "caller", caller.UserName, "attempted to update superadmin user", username)
|
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot update superadmin user"), "forbidden"))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if !caller.IsAdmin && !caller.IsSuperAdmin {
|
|
|
|
slog.Error("operation not allowed", "caller", caller.UserName, "attempted to update user", username)
|
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot update superadmin user"), "forbidden"))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if caller.IsAdmin && user.IsAdmin {
|
|
|
|
slog.Error("admin user cannot update another admin", "caller", caller.UserName, "attempted to update admin user", username)
|
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("admin user cannot update another admin"), "forbidden"))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if caller.IsAdmin && userchange.IsAdmin {
|
|
|
|
err = errors.New("admin user cannot update role of an another user to admin")
|
|
|
|
slog.Error("failed to update user", "caller", caller.UserName, "attempted to update user", username, "error", err)
|
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
if !ismaster && selfUpdate {
|
|
|
|
if user.IsAdmin != userchange.IsAdmin || user.IsSuperAdmin != userchange.IsSuperAdmin {
|
|
|
|
slog.Error("user cannot change his own role", "caller", caller.UserName, "attempted to update user role", username)
|
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("user not allowed to self assign role"), "forbidden"))
|
|
|
|
return
|
|
|
|
|
|
|
|
}
|
2021-07-15 04:47:05 +08:00
|
|
|
}
|
2023-09-01 16:57:08 +08:00
|
|
|
if ismaster {
|
|
|
|
if !user.IsSuperAdmin && userchange.IsSuperAdmin {
|
|
|
|
slog.Error("operation not allowed", "caller", logic.MasterUser, "attempted to update user role to superadmin", username)
|
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("attempted to update user role to superadmin"), "forbidden"))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-10-04 14:15:41 +08:00
|
|
|
if auth.IsOauthUser(user) == nil && userchange.Password != "" {
|
|
|
|
err := fmt.Errorf("cannot update user's password for an oauth user %s", username)
|
2022-09-15 01:26:31 +08:00
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
|
2021-10-26 02:51:52 +08:00
|
|
|
return
|
|
|
|
}
|
2023-09-01 16:57:08 +08:00
|
|
|
|
2022-12-21 04:10:40 +08:00
|
|
|
user, err = logic.UpdateUser(&userchange, user)
|
2021-07-15 04:47:05 +08:00
|
|
|
if err != nil {
|
2022-07-12 18:49:49 +08:00
|
|
|
logger.Log(0, username,
|
2023-09-01 16:57:08 +08:00
|
|
|
"failed to update user info: ", err.Error())
|
2022-09-15 01:26:31 +08:00
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
2021-07-15 04:47:05 +08:00
|
|
|
return
|
|
|
|
}
|
2023-09-01 16:57:08 +08:00
|
|
|
logger.Log(1, username, "was updated")
|
2023-06-26 13:23:00 +08:00
|
|
|
json.NewEncoder(w).Encode(logic.ToReturnUser(*user))
|
2021-07-02 12:03:46 +08:00
|
|
|
}
|
|
|
|
|
2022-09-15 20:47:48 +08:00
|
|
|
// swagger:route DELETE /api/users/{username} user deleteUser
|
2022-09-06 20:20:24 +08:00
|
|
|
//
|
|
|
|
// Delete a user.
|
|
|
|
//
|
2023-01-02 15:48:40 +08:00
|
|
|
// Schemes: https
|
2022-09-06 20:20:24 +08:00
|
|
|
//
|
2023-01-02 15:48:40 +08:00
|
|
|
// Security:
|
|
|
|
// oauth
|
2022-09-11 12:51:59 +08:00
|
|
|
//
|
2023-01-02 15:48:40 +08:00
|
|
|
// Responses:
|
|
|
|
// 200: userBodyResponse
|
2021-03-26 00:17:52 +08:00
|
|
|
func deleteUser(w http.ResponseWriter, r *http.Request) {
|
|
|
|
// Set header
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
|
|
|
|
|
|
// get params
|
|
|
|
var params = mux.Vars(r)
|
2023-09-01 16:57:08 +08:00
|
|
|
caller, err := logic.GetUser(r.Header.Get("user"))
|
|
|
|
if err != nil {
|
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
|
|
|
}
|
2021-07-19 23:30:27 +08:00
|
|
|
username := params["username"]
|
2023-09-01 16:57:08 +08:00
|
|
|
user, err := logic.GetUser(username)
|
|
|
|
if err != nil {
|
|
|
|
logger.Log(0, username,
|
|
|
|
"failed to update user info: ", err.Error())
|
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if user.IsSuperAdmin {
|
|
|
|
slog.Error(
|
|
|
|
"failed to delete user: ", "user", username, "error", "superadmin cannot be deleted")
|
2023-11-30 00:12:37 +08:00
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("superadmin cannot be deleted"), "internal"))
|
2023-09-01 16:57:08 +08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
if !caller.IsSuperAdmin {
|
|
|
|
if caller.IsAdmin && user.IsAdmin {
|
|
|
|
slog.Error(
|
2023-11-30 00:12:37 +08:00
|
|
|
"failed to delete user: ", "user", username, "error", "admin cannot delete another admin user, including oneself")
|
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("admin cannot delete another admin user, including oneself"), "internal"))
|
2023-09-01 16:57:08 +08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
2022-07-12 18:49:49 +08:00
|
|
|
success, err := logic.DeleteUser(username)
|
2021-04-15 10:59:25 +08:00
|
|
|
if err != nil {
|
2022-07-12 18:49:49 +08:00
|
|
|
logger.Log(0, username,
|
|
|
|
"failed to delete user: ", err.Error())
|
2022-09-15 01:26:31 +08:00
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
2021-03-26 00:17:52 +08:00
|
|
|
return
|
2021-04-15 10:59:25 +08:00
|
|
|
} else if !success {
|
2022-07-12 18:49:49 +08:00
|
|
|
err := errors.New("delete unsuccessful")
|
|
|
|
logger.Log(0, username, err.Error())
|
2022-09-15 01:26:31 +08:00
|
|
|
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
2021-04-18 02:03:01 +08:00
|
|
|
return
|
|
|
|
}
|
2023-10-18 03:22:17 +08:00
|
|
|
// check and delete extclient with this ownerID
|
|
|
|
go func() {
|
|
|
|
extclients, err := logic.GetAllExtClients()
|
|
|
|
if err != nil {
|
|
|
|
slog.Error("failed to get extclients", "error", err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
for _, extclient := range extclients {
|
|
|
|
if extclient.OwnerID == user.UserName {
|
|
|
|
err = logic.DeleteExtClient(extclient.Network, extclient.ClientID)
|
|
|
|
if err != nil {
|
|
|
|
slog.Error("failed to delete extclient",
|
|
|
|
"id", extclient.ClientID, "owner", user.UserName, "error", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2023-12-20 14:24:53 +08:00
|
|
|
if servercfg.IsDNSMode() {
|
|
|
|
logic.SetDNS()
|
|
|
|
}
|
2023-10-18 03:22:17 +08:00
|
|
|
}()
|
2021-12-07 04:31:08 +08:00
|
|
|
logger.Log(1, username, "was deleted")
|
2021-03-26 00:17:52 +08:00
|
|
|
json.NewEncoder(w).Encode(params["username"] + " deleted.")
|
|
|
|
}
|
2022-09-14 03:25:56 +08:00
|
|
|
|
|
|
|
// Called when vpn client dials in to start the auth flow and first stage is to get register URL itself
|
|
|
|
func socketHandler(w http.ResponseWriter, r *http.Request) {
|
|
|
|
// Upgrade our raw HTTP connection to a websocket based one
|
|
|
|
conn, err := upgrader.Upgrade(w, r, nil)
|
|
|
|
if err != nil {
|
2022-09-15 22:23:19 +08:00
|
|
|
logger.Log(0, "error during connection upgrade for node sign-in:", err.Error())
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if conn == nil {
|
|
|
|
logger.Log(0, "failed to establish web-socket connection during node sign-in")
|
2022-09-14 03:25:56 +08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
// Start handling the session
|
2023-04-13 23:36:13 +08:00
|
|
|
go auth.SessionHandler(conn)
|
2022-09-14 03:25:56 +08:00
|
|
|
}
|