diff --git a/config/config.go b/config/config.go index 0c42227b..f39f77c3 100644 --- a/config/config.go +++ b/config/config.go @@ -89,7 +89,6 @@ type ServerConfig struct { DeployedByOperator bool `yaml:"deployed_by_operator"` Environment string `yaml:"environment"` JwtValidityDuration time.Duration `yaml:"jwt_validity_duration" swaggertype:"primitive,integer" format:"int64"` - RacAutoDisable bool `yaml:"rac_auto_disable"` RacRestrictToSingleNetwork bool `yaml:"rac_restrict_to_single_network"` CacheEnabled string `yaml:"caching_enabled"` EndpointDetection bool `yaml:"endpoint_detection"` diff --git a/controllers/user.go b/controllers/user.go index 2a7717ee..18b4602c 100644 --- a/controllers/user.go +++ b/controllers/user.go @@ -377,7 +377,7 @@ func authenticateUser(response http.ResponseWriter, request *http.Request) { response.Write(successJSONResponse) go func() { - if servercfg.IsPro && logic.GetRacAutoDisable() { + if servercfg.IsPro { // enable all associeated clients for the user clients, err := logic.GetAllExtClients() if err != nil { diff --git a/logic/jwts.go b/logic/jwts.go index 3872568c..32c17ce7 100644 --- a/logic/jwts.go +++ b/logic/jwts.go @@ -58,11 +58,10 @@ func CreateJWT(uuid string, macAddress string, network string) (response string, // CreateUserJWT - creates a user jwt token func CreateUserAccessJwtToken(username string, role models.UserRoleID, d time.Time, tokenID string) (response string, err error) { claims := &models.UserClaims{ - UserName: username, - Role: role, - TokenType: models.AccessTokenType, - Api: servercfg.GetAPIHost(), - RacAutoDisable: GetRacAutoDisable() && (role != models.SuperAdminRole && role != models.AdminRole), + UserName: username, + Role: role, + TokenType: models.AccessTokenType, + Api: servercfg.GetAPIHost(), RegisteredClaims: jwt.RegisteredClaims{ Issuer: "Netmaker", Subject: fmt.Sprintf("user|%s", username), @@ -85,10 +84,9 @@ func CreateUserJWT(username string, role models.UserRoleID) (response string, er settings := GetServerSettings() expirationTime := time.Now().Add(time.Duration(settings.JwtValidityDuration) * time.Minute) claims := &models.UserClaims{ - UserName: username, - Role: role, - TokenType: models.UserIDTokenType, - RacAutoDisable: settings.RacAutoDisable && (role != models.SuperAdminRole && role != models.AdminRole), + UserName: username, + Role: role, + TokenType: models.UserIDTokenType, RegisteredClaims: jwt.RegisteredClaims{ Issuer: "Netmaker", Subject: fmt.Sprintf("user|%s", username), diff --git a/logic/settings.go b/logic/settings.go index d704b6e5..ff4afb4c 100644 --- a/logic/settings.go +++ b/logic/settings.go @@ -62,7 +62,6 @@ func GetServerSettingsFromEnv() (s models.ServerSettings) { Telemetry: servercfg.Telemetry(), BasicAuth: servercfg.IsBasicAuthEnabled(), JwtValidityDuration: servercfg.GetJwtValidityDurationFromEnv() / 60, - RacAutoDisable: servercfg.GetRacAutoDisable(), RacRestrictToSingleNetwork: servercfg.GetRacRestrictToSingleNetwork(), EndpointDetection: servercfg.IsEndpointDetectionEnabled(), AllowedEmailDomains: servercfg.GetAllowedEmailDomains(), @@ -140,7 +139,6 @@ func GetServerConfig() config.ServerConfig { cfg.IsPro = "yes" } cfg.JwtValidityDuration = time.Duration(settings.JwtValidityDuration) * time.Minute - cfg.RacAutoDisable = settings.RacAutoDisable cfg.RacRestrictToSingleNetwork = settings.RacRestrictToSingleNetwork cfg.MetricInterval = settings.MetricInterval cfg.ManageDNS = settings.ManageDNS @@ -206,11 +204,6 @@ func GetJwtValidityDuration() time.Duration { return GetServerConfig().JwtValidityDuration } -// GetRacAutoDisable - returns whether the feature to autodisable RAC is enabled -func GetRacAutoDisable() bool { - return GetServerSettings().RacAutoDisable -} - // GetRacRestrictToSingleNetwork - returns whether the feature to allow simultaneous network connections via RAC is enabled func GetRacRestrictToSingleNetwork() bool { return GetServerSettings().RacRestrictToSingleNetwork diff --git a/models/settings.go b/models/settings.go index faaa153d..e8baf87d 100644 --- a/models/settings.go +++ b/models/settings.go @@ -25,7 +25,6 @@ type ServerSettings struct { Telemetry string `json:"telemetry"` BasicAuth bool `json:"basic_auth"` JwtValidityDuration int `json:"jwt_validity_duration"` - RacAutoDisable bool `json:"rac_auto_disable"` RacRestrictToSingleNetwork bool `json:"rac_restrict_to_single_network"` EndpointDetection bool `json:"endpoint_detection"` AllowedEmailDomains string `json:"allowed_email_domains"` diff --git a/pro/initialize.go b/pro/initialize.go index b1b7f1b8..19883985 100644 --- a/pro/initialize.go +++ b/pro/initialize.go @@ -81,9 +81,7 @@ func InitPro() { addTrialLicenseHook() } - if logic.GetRacAutoDisable() { - AddRacHooks() - } + AddUnauthorisedUserNodeHooks() var authProvider = auth.InitializeAuthProvider() if authProvider != "" { diff --git a/pro/remote_access_client.go b/pro/remote_access_client.go index b9266c84..41efdb6a 100644 --- a/pro/remote_access_client.go +++ b/pro/remote_access_client.go @@ -13,20 +13,20 @@ import ( "golang.org/x/exp/slog" ) -const racAutoDisableCheckInterval = 3 * time.Minute +const unauthorisedUserNodeCheckInterval = 3 * time.Minute -// AddRacHooks - adds hooks for Remote Access Client -func AddRacHooks() { - slog.Debug("adding RAC autodisable hook") +// AddUnauthorisedUserNodeHooks - adds hook to prevent access from unauthorised (expired) user nodes +func AddUnauthorisedUserNodeHooks() { + slog.Debug("adding unauthorisedUserNode hook") logic.HookManagerCh <- models.HookDetails{ - Hook: racAutoDisableHook, - Interval: racAutoDisableCheckInterval, + Hook: unauthorisedUserNodeHook, + Interval: unauthorisedUserNodeCheckInterval, } } -// racAutoDisableHook - checks if RAC is enabled and if it is, checks if it should be disabled -func racAutoDisableHook() error { - slog.Debug("running RAC autodisable hook") +// unauthorisedUserNodeHook - checks if a user node should be disabled, using the user's last login time +func unauthorisedUserNodeHook() error { + slog.Debug("running unauthorisedUserNode hook") users, err := logic.GetUsers() if err != nil { @@ -55,16 +55,16 @@ func racAutoDisableHook() error { } if (client.OwnerID == user.UserName) && client.Enabled { - slog.Info(fmt.Sprintf("disabling ext client %s for user %s due to RAC autodisabling", client.ClientID, client.OwnerID)) + slog.Info(fmt.Sprintf("disabling user node %s for user %s: auth token expired", client.ClientID, client.OwnerID)) if err := disableExtClient(&client); err != nil { - slog.Error("error disabling ext client in RAC autodisable hook", "error", err) + slog.Error("error disabling user node", "error", err) continue // dont return but try for other clients } } } } - slog.Debug("finished running RAC autodisable hook") + slog.Debug("finished running unauthorisedUserNode hook") return nil } diff --git a/scripts/netmaker.default.env b/scripts/netmaker.default.env index 8b52abd0..14778efe 100644 --- a/scripts/netmaker.default.env +++ b/scripts/netmaker.default.env @@ -71,8 +71,6 @@ AZURE_TENANT= OIDC_ISSUER= # Duration of JWT token validity in seconds JWT_VALIDITY_DURATION=43200 -# Auto disable a user's connecteds clients bassed on JWT token expiration -RAC_AUTO_DISABLE=false # Allow a user to connect to multiple networks simultaneously RAC_RESTRICT_TO_SINGLE_NETWORK=false # if turned on data will be cached on to improve performance significantly (IMPORTANT: If HA set to `false` ) diff --git a/scripts/nm-quick.sh b/scripts/nm-quick.sh index 8fa7da13..cc3562a4 100755 --- a/scripts/nm-quick.sh +++ b/scripts/nm-quick.sh @@ -257,7 +257,7 @@ save_config() { ( "INSTALL_TYPE" "NODE_ID" "DNS_MODE" "NETCLIENT_AUTO_UPDATE" "API_PORT" "MANAGE_DNS" "DEFAULT_DOMAIN" "CORS_ALLOWED_ORIGIN" "DISPLAY_KEYS" "DATABASE" "SERVER_BROKER_ENDPOINT" "VERBOSITY" "DEBUG_MODE" "REST_BACKEND" "DISABLE_REMOTE_IP_CHECK" "TELEMETRY" "ALLOWED_EMAIL_DOMAINS" "AUTH_PROVIDER" "CLIENT_ID" "CLIENT_SECRET" - "FRONTEND_URL" "AZURE_TENANT" "OIDC_ISSUER" "EXPORTER_API_PORT" "JWT_VALIDITY_DURATION" "RAC_AUTO_DISABLE" "RAC_RESTRICT_TO_SINGLE_NETWORK" "CACHING_ENABLED" "ENDPOINT_DETECTION" + "FRONTEND_URL" "AZURE_TENANT" "OIDC_ISSUER" "EXPORTER_API_PORT" "JWT_VALIDITY_DURATION" "RAC_RESTRICT_TO_SINGLE_NETWORK" "CACHING_ENABLED" "ENDPOINT_DETECTION" "SMTP_HOST" "SMTP_PORT" "EMAIL_SENDER_ADDR" "EMAIL_SENDER_USER" "EMAIL_SENDER_PASSWORD") for name in "${toCopy[@]}"; do save_config_item $name "${!name}" diff --git a/scripts/nm-upgrade.sh b/scripts/nm-upgrade.sh index d2a87e1c..42850964 100755 --- a/scripts/nm-upgrade.sh +++ b/scripts/nm-upgrade.sh @@ -179,7 +179,7 @@ save_config() { ( "CORS_ALLOWED_ORIGIN" "DISPLAY_KEYS" "DATABASE" "SERVER_BROKER_ENDPOINT" "STUN_PORT" "VERBOSITY" "TURN_PORT" "USE_TURN" "DEBUG_MODE" "TURN_API_PORT" "REST_BACKEND" "DISABLE_REMOTE_IP_CHECK" "TELEMETRY" "AUTH_PROVIDER" "CLIENT_ID" "CLIENT_SECRET" - "FRONTEND_URL" "AZURE_TENANT" "OIDC_ISSUER" "EXPORTER_API_PORT" "JWT_VALIDITY_DURATION" "RAC_AUTO_DISABLE" "RAC_RESTRICT_TO_SINGLE_NETWORK") + "FRONTEND_URL" "AZURE_TENANT" "OIDC_ISSUER" "EXPORTER_API_PORT" "JWT_VALIDITY_DURATION" "RAC_RESTRICT_TO_SINGLE_NETWORK") for name in "${toCopy[@]}"; do save_config_item $name "${!name}" done diff --git a/servercfg/serverconf.go b/servercfg/serverconf.go index d16ac7d4..ab78cbb9 100644 --- a/servercfg/serverconf.go +++ b/servercfg/serverconf.go @@ -91,7 +91,6 @@ func GetServerConfig() config.ServerConfig { cfg.IsPro = "yes" } cfg.JwtValidityDuration = GetJwtValidityDuration() - cfg.RacAutoDisable = GetRacAutoDisable() cfg.RacRestrictToSingleNetwork = GetRacRestrictToSingleNetwork() cfg.MetricInterval = GetMetricInterval() cfg.ManageDNS = GetManageDNS() @@ -126,11 +125,6 @@ func GetJwtValidityDurationFromEnv() int { return defaultDuration } -// GetRacAutoDisable - returns whether the feature to autodisable RAC is enabled -func GetRacAutoDisable() bool { - return os.Getenv("RAC_AUTO_DISABLE") == "true" -} - // GetRacRestrictToSingleNetwork - returns whether the feature to allow simultaneous network connections via RAC is enabled func GetRacRestrictToSingleNetwork() bool { return os.Getenv("RAC_RESTRICT_TO_SINGLE_NETWORK") == "true"