Please visit the docs here to learn how to.
+
+ %s
+
+
`
-const oauthStateInvalid = `
-
-Please visit the docs here to learn how to.
`) -const userNotAllowed = ` - -Non-Admins can access the netmaker networks using RemoteAccessClient.
- - -` +var oauthStateInvalid = fmt.Sprintf(htmlBaseTemplate, `Non-Admins can access the netmaker networks using RemoteAccessClient.
`) -const userSignUpApprovalPending = ` - -
+
|
+
+ ` + text + ` +
` +} + +func GetMailSignature() string { + return styledSignature() +} diff --git a/pro/initialize.go b/pro/initialize.go index 8da33bfc..948f8457 100644 --- a/pro/initialize.go +++ b/pro/initialize.go @@ -119,6 +119,19 @@ func InitPro() { logic.GetAllowedIpForInetNodeClient = proLogic.GetAllowedIpForInetNodeClient mq.UpdateMetrics = proLogic.MQUpdateMetrics mq.UpdateMetricsFallBack = proLogic.MQUpdateMetricsFallBack + logic.GetFilteredNodesByUserAccess = proLogic.GetFilteredNodesByUserAccess + logic.CreateRole = proLogic.CreateRole + logic.UpdateRole = proLogic.UpdateRole + logic.DeleteRole = proLogic.DeleteRole + logic.NetworkPermissionsCheck = proLogic.NetworkPermissionsCheck + logic.GlobalPermissionsCheck = proLogic.GlobalPermissionsCheck + logic.DeleteNetworkRoles = proLogic.DeleteNetworkRoles + logic.CreateDefaultNetworkRolesAndGroups = proLogic.CreateDefaultNetworkRolesAndGroups + logic.FilterNetworksByRole = proLogic.FilterNetworksByRole + logic.IsGroupsValid = proLogic.IsGroupsValid + logic.IsNetworkRolesValid = proLogic.IsNetworkRolesValid + logic.InitialiseRoles = proLogic.UserRolesInit + logic.UpdateUserGwAccess = proLogic.UpdateUserGwAccess } func retrieveProLogo() string { diff --git a/pro/logic/security.go b/pro/logic/security.go new file mode 100644 index 00000000..3225c269 --- /dev/null +++ b/pro/logic/security.go @@ -0,0 +1,195 @@ +package logic + +import ( + "errors" + "fmt" + "net/http" + + "github.com/gravitl/netmaker/logger" + "github.com/gravitl/netmaker/logic" + "github.com/gravitl/netmaker/models" +) + +func NetworkPermissionsCheck(username string, r *http.Request) error { + // at this point global checks should be completed + user, err := logic.GetUser(username) + if err != nil { + return err + } + logger.Log(0, "NET MIDDL----> 1") + userRole, err := logic.GetRole(user.PlatformRoleID) + if err != nil { + return errors.New("access denied") + } + if userRole.FullAccess { + return nil + } + logger.Log(0, "NET MIDDL----> 2") + // get info from header to determine the target rsrc + targetRsrc := r.Header.Get("TARGET_RSRC") + targetRsrcID := r.Header.Get("TARGET_RSRC_ID") + netID := r.Header.Get("NET_ID") + if targetRsrc == "" { + return errors.New("target rsrc is missing") + } + if netID == "" { + return errors.New("network id is missing") + } + if r.Method == "" { + r.Method = http.MethodGet + } + if targetRsrc == models.MetricRsrc.String() { + return nil + } + + // check if user has scope for target resource + // TODO - differentitate between global scope and network scope apis + // check for global network role + if netRoles, ok := user.NetworkRoles[models.AllNetworks]; ok { + for netRoleID := range netRoles { + err = checkNetworkAccessPermissions(netRoleID, username, r.Method, targetRsrc, targetRsrcID, netID) + if err == nil { + return nil + } + } + } + netRoles := user.NetworkRoles[models.NetworkID(netID)] + for netRoleID := range netRoles { + err = checkNetworkAccessPermissions(netRoleID, username, r.Method, targetRsrc, targetRsrcID, netID) + if err == nil { + return nil + } + } + for groupID := range user.UserGroups { + userG, err := GetUserGroup(groupID) + if err == nil { + netRoles := userG.NetworkRoles[models.NetworkID(netID)] + for netRoleID := range netRoles { + err = checkNetworkAccessPermissions(netRoleID, username, r.Method, targetRsrc, targetRsrcID, netID) + if err == nil { + return nil + } + } + } + } + + return errors.New("access denied") +} + +func checkNetworkAccessPermissions(netRoleID models.UserRoleID, username, reqScope, targetRsrc, targetRsrcID, netID string) error { + networkPermissionScope, err := logic.GetRole(netRoleID) + if err != nil { + return err + } + logger.Log(0, "NET MIDDL----> 3", string(netRoleID)) + if networkPermissionScope.FullAccess { + return nil + } + rsrcPermissionScope, ok := networkPermissionScope.NetworkLevelAccess[models.RsrcType(targetRsrc)] + if targetRsrc == models.HostRsrc.String() && !ok { + rsrcPermissionScope, ok = networkPermissionScope.NetworkLevelAccess[models.RemoteAccessGwRsrc] + } + if !ok { + return errors.New("access denied") + } + logger.Log(0, "NET MIDDL----> 4", string(netRoleID)) + if allRsrcsTypePermissionScope, ok := rsrcPermissionScope[models.RsrcID(fmt.Sprintf("all_%s", targetRsrc))]; ok { + // handle extclient apis here + if models.RsrcType(targetRsrc) == models.ExtClientsRsrc && allRsrcsTypePermissionScope.SelfOnly && targetRsrcID != "" { + extclient, err := logic.GetExtClient(targetRsrcID, netID) + if err != nil { + return err + } + if !logic.IsUserAllowedAccessToExtClient(username, extclient) { + return errors.New("access denied") + } + } + err = checkPermissionScopeWithReqMethod(allRsrcsTypePermissionScope, reqScope) + if err == nil { + return nil + } + + } + if targetRsrc == models.HostRsrc.String() { + if allRsrcsTypePermissionScope, ok := rsrcPermissionScope[models.RsrcID(fmt.Sprintf("all_%s", models.RemoteAccessGwRsrc))]; ok { + err = checkPermissionScopeWithReqMethod(allRsrcsTypePermissionScope, reqScope) + if err == nil { + return nil + } + } + } + logger.Log(0, "NET MIDDL----> 5", string(netRoleID)) + if targetRsrcID == "" { + return errors.New("target rsrc id is empty") + } + if scope, ok := rsrcPermissionScope[models.RsrcID(targetRsrcID)]; ok { + err = checkPermissionScopeWithReqMethod(scope, reqScope) + if err == nil { + return nil + } + } + logger.Log(0, "NET MIDDL----> 6", string(netRoleID)) + return errors.New("access denied") +} + +func GlobalPermissionsCheck(username string, r *http.Request) error { + user, err := logic.GetUser(username) + if err != nil { + return err + } + userRole, err := logic.GetRole(user.PlatformRoleID) + if err != nil { + return errors.New("access denied") + } + if userRole.FullAccess { + return nil + } + targetRsrc := r.Header.Get("TARGET_RSRC") + targetRsrcID := r.Header.Get("TARGET_RSRC_ID") + if targetRsrc == "" { + return errors.New("target rsrc is missing") + } + if r.Method == "" { + r.Method = http.MethodGet + } + if targetRsrc == models.MetricRsrc.String() { + return nil + } + if (targetRsrc == models.HostRsrc.String() || targetRsrc == models.NetworkRsrc.String()) && r.Method == http.MethodGet && targetRsrcID == "" { + return nil + } + if targetRsrc == models.UserRsrc.String() && username == targetRsrcID && (r.Method != http.MethodDelete) { + return nil + } + rsrcPermissionScope, ok := userRole.GlobalLevelAccess[models.RsrcType(targetRsrc)] + if !ok { + return fmt.Errorf("access denied to %s", targetRsrc) + } + if allRsrcsTypePermissionScope, ok := rsrcPermissionScope[models.RsrcID(fmt.Sprintf("all_%s", targetRsrc))]; ok { + return checkPermissionScopeWithReqMethod(allRsrcsTypePermissionScope, r.Method) + + } + if targetRsrcID == "" { + return errors.New("target rsrc id is missing") + } + if scope, ok := rsrcPermissionScope[models.RsrcID(targetRsrcID)]; ok { + return checkPermissionScopeWithReqMethod(scope, r.Method) + } + return errors.New("access denied") +} + +func checkPermissionScopeWithReqMethod(scope models.RsrcPermissionScope, reqmethod string) error { + if reqmethod == http.MethodGet && scope.Read { + return nil + } + if (reqmethod == http.MethodPatch || reqmethod == http.MethodPut) && scope.Update { + return nil + } + if reqmethod == http.MethodDelete && scope.Delete { + return nil + } + if reqmethod == http.MethodPost && scope.Create { + return nil + } + return errors.New("operation not permitted") +} diff --git a/pro/logic/user_mgmt.go b/pro/logic/user_mgmt.go new file mode 100644 index 00000000..243f3a97 --- /dev/null +++ b/pro/logic/user_mgmt.go @@ -0,0 +1,1057 @@ +package logic + +import ( + "encoding/json" + "errors" + "fmt" + + "github.com/gravitl/netmaker/database" + "github.com/gravitl/netmaker/logger" + "github.com/gravitl/netmaker/logic" + "github.com/gravitl/netmaker/models" + "github.com/gravitl/netmaker/mq" + "github.com/gravitl/netmaker/servercfg" + "golang.org/x/exp/slog" +) + +var ServiceUserPermissionTemplate = models.UserRolePermissionTemplate{ + ID: models.ServiceUser, + Default: true, + FullAccess: false, + DenyDashboardAccess: true, +} + +var PlatformUserUserPermissionTemplate = models.UserRolePermissionTemplate{ + ID: models.PlatformUser, + Default: true, + FullAccess: false, +} + +var NetworkAdminAllPermissionTemplate = models.UserRolePermissionTemplate{ + ID: models.UserRoleID(fmt.Sprintf("global-%s", models.NetworkAdmin)), + Default: true, + FullAccess: true, + NetworkID: models.AllNetworks, +} + +var NetworkUserAllPermissionTemplate = models.UserRolePermissionTemplate{ + ID: models.UserRoleID(fmt.Sprintf("global-%s", models.NetworkUser)), + Default: true, + FullAccess: false, + NetworkID: models.AllNetworks, + NetworkLevelAccess: map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope{ + models.RemoteAccessGwRsrc: { + models.AllRemoteAccessGwRsrcID: models.RsrcPermissionScope{ + Read: true, + VPNaccess: true, + }, + }, + models.ExtClientsRsrc: { + models.AllExtClientsRsrcID: models.RsrcPermissionScope{ + Read: true, + Create: true, + Update: true, + Delete: true, + SelfOnly: true, + }, + }, + }, +} + +func UserRolesInit() { + d, _ := json.Marshal(logic.SuperAdminPermissionTemplate) + database.Insert(logic.SuperAdminPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME) + d, _ = json.Marshal(logic.AdminPermissionTemplate) + database.Insert(logic.AdminPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME) + d, _ = json.Marshal(ServiceUserPermissionTemplate) + database.Insert(ServiceUserPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME) + d, _ = json.Marshal(PlatformUserUserPermissionTemplate) + database.Insert(PlatformUserUserPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME) + d, _ = json.Marshal(NetworkAdminAllPermissionTemplate) + database.Insert(NetworkAdminAllPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME) + d, _ = json.Marshal(NetworkUserAllPermissionTemplate) + database.Insert(NetworkUserAllPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME) + +} + +func CreateDefaultNetworkRolesAndGroups(netID models.NetworkID) { + var NetworkAdminPermissionTemplate = models.UserRolePermissionTemplate{ + ID: models.UserRoleID(fmt.Sprintf("%s-%s", netID, models.NetworkAdmin)), + Default: true, + NetworkID: netID, + FullAccess: true, + NetworkLevelAccess: make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope), + } + + var NetworkUserPermissionTemplate = models.UserRolePermissionTemplate{ + ID: models.UserRoleID(fmt.Sprintf("%s-%s", netID, models.NetworkUser)), + Default: true, + FullAccess: false, + NetworkID: netID, + DenyDashboardAccess: false, + NetworkLevelAccess: map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope{ + models.RemoteAccessGwRsrc: { + models.AllRemoteAccessGwRsrcID: models.RsrcPermissionScope{ + Read: true, + VPNaccess: true, + }, + }, + models.ExtClientsRsrc: { + models.AllExtClientsRsrcID: models.RsrcPermissionScope{ + Read: true, + Create: true, + Update: true, + Delete: true, + SelfOnly: true, + }, + }, + }, + } + d, _ := json.Marshal(NetworkAdminPermissionTemplate) + database.Insert(NetworkAdminPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME) + d, _ = json.Marshal(NetworkUserPermissionTemplate) + database.Insert(NetworkUserPermissionTemplate.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME) + + // create default network groups + var NetworkAdminGroup = models.UserGroup{ + ID: models.UserGroupID(fmt.Sprintf("%s-%s-grp", netID, models.NetworkAdmin)), + NetworkRoles: map[models.NetworkID]map[models.UserRoleID]struct{}{ + netID: { + models.UserRoleID(fmt.Sprintf("%s-%s", netID, models.NetworkAdmin)): {}, + }, + }, + MetaData: "The network role was automatically created by Netmaker.", + } + var NetworkUserGroup = models.UserGroup{ + ID: models.UserGroupID(fmt.Sprintf("%s-%s-grp", netID, models.NetworkUser)), + NetworkRoles: map[models.NetworkID]map[models.UserRoleID]struct{}{ + netID: { + models.UserRoleID(fmt.Sprintf("%s-%s", netID, models.NetworkUser)): {}, + }, + }, + MetaData: "The network role was automatically created by Netmaker.", + } + d, _ = json.Marshal(NetworkAdminGroup) + database.Insert(NetworkAdminGroup.ID.String(), string(d), database.USER_GROUPS_TABLE_NAME) + d, _ = json.Marshal(NetworkUserGroup) + database.Insert(NetworkUserGroup.ID.String(), string(d), database.USER_GROUPS_TABLE_NAME) +} + +func DeleteNetworkRoles(netID string) { + users, err := logic.GetUsersDB() + if err != nil { + return + } + defaultUserGrp := fmt.Sprintf("%s-%s-grp", netID, models.NetworkUser) + defaultAdminGrp := fmt.Sprintf("%s-%s-grp", netID, models.NetworkAdmin) + for _, user := range users { + var upsert bool + if _, ok := user.NetworkRoles[models.NetworkID(netID)]; ok { + delete(user.NetworkRoles, models.NetworkID(netID)) + upsert = true + } + if _, ok := user.UserGroups[models.UserGroupID(defaultUserGrp)]; ok { + delete(user.UserGroups, models.UserGroupID(defaultUserGrp)) + upsert = true + } + if _, ok := user.UserGroups[models.UserGroupID(defaultAdminGrp)]; ok { + delete(user.UserGroups, models.UserGroupID(defaultAdminGrp)) + upsert = true + } + if upsert { + logic.UpsertUser(user) + } + } + database.DeleteRecord(database.USER_GROUPS_TABLE_NAME, defaultUserGrp) + database.DeleteRecord(database.USER_GROUPS_TABLE_NAME, defaultAdminGrp) + userGs, _ := ListUserGroups() + for _, userGI := range userGs { + if _, ok := userGI.NetworkRoles[models.NetworkID(netID)]; ok { + delete(userGI.NetworkRoles, models.NetworkID(netID)) + UpdateUserGroup(userGI) + } + } + + roles, _ := ListNetworkRoles() + for _, role := range roles { + if role.NetworkID.String() == netID { + database.DeleteRecord(database.USER_PERMISSIONS_TABLE_NAME, role.ID.String()) + } + } +} + +// ListNetworkRoles - lists user network roles permission templates +func ListNetworkRoles() ([]models.UserRolePermissionTemplate, error) { + data, err := database.FetchRecords(database.USER_PERMISSIONS_TABLE_NAME) + if err != nil && !database.IsEmptyRecord(err) { + return []models.UserRolePermissionTemplate{}, err + } + userRoles := []models.UserRolePermissionTemplate{} + for _, dataI := range data { + userRole := models.UserRolePermissionTemplate{} + err := json.Unmarshal([]byte(dataI), &userRole) + if err != nil { + continue + } + if userRole.NetworkID == "" { + continue + } + userRoles = append(userRoles, userRole) + } + return userRoles, nil +} + +// ListPlatformRoles - lists user platform roles permission templates +func ListPlatformRoles() ([]models.UserRolePermissionTemplate, error) { + data, err := database.FetchRecords(database.USER_PERMISSIONS_TABLE_NAME) + if err != nil && !database.IsEmptyRecord(err) { + return []models.UserRolePermissionTemplate{}, err + } + userRoles := []models.UserRolePermissionTemplate{} + for _, dataI := range data { + userRole := models.UserRolePermissionTemplate{} + err := json.Unmarshal([]byte(dataI), &userRole) + if err != nil { + continue + } + if userRole.NetworkID != "" { + continue + } + userRoles = append(userRoles, userRole) + } + return userRoles, nil +} + +func ValidateCreateRoleReq(userRole *models.UserRolePermissionTemplate) error { + // check if role exists with this id + _, err := logic.GetRole(userRole.ID) + if err == nil { + return fmt.Errorf("role with id `%s` exists already", userRole.ID.String()) + } + if len(userRole.NetworkLevelAccess) > 0 { + for rsrcType := range userRole.NetworkLevelAccess { + if _, ok := models.RsrcTypeMap[rsrcType]; !ok { + return errors.New("invalid rsrc type " + rsrcType.String()) + } + if rsrcType == models.RemoteAccessGwRsrc { + userRsrcPermissions := userRole.NetworkLevelAccess[models.RemoteAccessGwRsrc] + var vpnAccess bool + for _, scope := range userRsrcPermissions { + if scope.VPNaccess { + vpnAccess = true + break + } + } + if vpnAccess { + userRole.NetworkLevelAccess[models.ExtClientsRsrc] = map[models.RsrcID]models.RsrcPermissionScope{ + models.AllExtClientsRsrcID: { + Read: true, + Create: true, + Update: true, + Delete: true, + SelfOnly: true, + }, + } + + } + + } + } + } + if userRole.NetworkID == "" { + return errors.New("only network roles are allowed to be created") + } + return nil +} + +func ValidateUpdateRoleReq(userRole *models.UserRolePermissionTemplate) error { + roleInDB, err := logic.GetRole(userRole.ID) + if err != nil { + return err + } + if roleInDB.NetworkID != userRole.NetworkID { + return errors.New("network id mismatch") + } + if roleInDB.Default { + return errors.New("cannot update default role") + } + if len(userRole.NetworkLevelAccess) > 0 { + for rsrcType := range userRole.NetworkLevelAccess { + if _, ok := models.RsrcTypeMap[rsrcType]; !ok { + return errors.New("invalid rsrc type " + rsrcType.String()) + } + if rsrcType == models.RemoteAccessGwRsrc { + userRsrcPermissions := userRole.NetworkLevelAccess[models.RemoteAccessGwRsrc] + var vpnAccess bool + for _, scope := range userRsrcPermissions { + if scope.VPNaccess { + vpnAccess = true + break + } + } + if vpnAccess { + userRole.NetworkLevelAccess[models.ExtClientsRsrc] = map[models.RsrcID]models.RsrcPermissionScope{ + models.AllExtClientsRsrcID: { + Read: true, + Create: true, + Update: true, + Delete: true, + SelfOnly: true, + }, + } + + } + + } + } + } + return nil +} + +// CreateRole - inserts new role into DB +func CreateRole(r models.UserRolePermissionTemplate) error { + // check if role already exists + if r.ID.String() == "" { + return errors.New("role id cannot be empty") + } + _, err := database.FetchRecord(database.USER_PERMISSIONS_TABLE_NAME, r.ID.String()) + if err == nil { + return errors.New("role already exists") + } + d, err := json.Marshal(r) + if err != nil { + return err + } + return database.Insert(r.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME) +} + +// UpdateRole - updates role template +func UpdateRole(r models.UserRolePermissionTemplate) error { + if r.ID.String() == "" { + return errors.New("role id cannot be empty") + } + _, err := database.FetchRecord(database.USER_PERMISSIONS_TABLE_NAME, r.ID.String()) + if err != nil { + return err + } + d, err := json.Marshal(r) + if err != nil { + return err + } + return database.Insert(r.ID.String(), string(d), database.USER_PERMISSIONS_TABLE_NAME) +} + +// DeleteRole - deletes user role +func DeleteRole(rid models.UserRoleID, force bool) error { + if rid.String() == "" { + return errors.New("role id cannot be empty") + } + users, err := logic.GetUsersDB() + if err != nil { + return err + } + role, err := logic.GetRole(rid) + if err != nil { + return err + } + if role.NetworkID == "" { + return errors.New("cannot delete platform role") + } + // allow deletion of default network roles if network doesn't exist + if role.NetworkID == models.AllNetworks { + return errors.New("cannot delete default network role") + } + // check if network exists + exists, _ := logic.NetworkExists(role.NetworkID.String()) + if role.Default { + if exists && !force { + return errors.New("cannot delete default role") + } + } + for _, user := range users { + for userG := range user.UserGroups { + ug, err := GetUserGroup(userG) + if err == nil { + if role.NetworkID != "" { + for netID, networkRoles := range ug.NetworkRoles { + if _, ok := networkRoles[rid]; ok { + delete(networkRoles, rid) + ug.NetworkRoles[netID] = networkRoles + UpdateUserGroup(ug) + } + + } + } + + } + } + + if user.PlatformRoleID == rid { + err = errors.New("active roles cannot be deleted.switch existing users to a new role before deleting") + return err + } + if role.NetworkID != "" { + for netID, networkRoles := range user.NetworkRoles { + if _, ok := networkRoles[rid]; ok { + delete(networkRoles, rid) + user.NetworkRoles[netID] = networkRoles + logic.UpsertUser(user) + } + + } + } + } + + return database.DeleteRecord(database.USER_PERMISSIONS_TABLE_NAME, rid.String()) +} + +func ValidateCreateGroupReq(g models.UserGroup) error { + + // check if network roles are valid + for _, roleMap := range g.NetworkRoles { + for roleID := range roleMap { + role, err := logic.GetRole(roleID) + if err != nil { + return fmt.Errorf("invalid network role %s", roleID) + } + if role.NetworkID == "" { + return errors.New("platform role cannot be used as network role") + } + } + } + return nil +} +func ValidateUpdateGroupReq(g models.UserGroup) error { + + for networkID := range g.NetworkRoles { + userRolesMap := g.NetworkRoles[networkID] + for roleID := range userRolesMap { + netRole, err := logic.GetRole(roleID) + if err != nil { + err = fmt.Errorf("invalid network role") + return err + } + if netRole.NetworkID == "" { + return errors.New("platform role cannot be used as network role") + } + } + } + return nil +} + +// CreateUserGroup - creates new user group +func CreateUserGroup(g models.UserGroup) error { + // check if role already exists + if g.ID == "" { + return errors.New("group id cannot be empty") + } + _, err := database.FetchRecord(database.USER_GROUPS_TABLE_NAME, g.ID.String()) + if err == nil { + return errors.New("group already exists") + } + d, err := json.Marshal(g) + if err != nil { + return err + } + return database.Insert(g.ID.String(), string(d), database.USER_GROUPS_TABLE_NAME) +} + +// GetUserGroup - fetches user group +func GetUserGroup(gid models.UserGroupID) (models.UserGroup, error) { + d, err := database.FetchRecord(database.USER_GROUPS_TABLE_NAME, gid.String()) + if err != nil { + return models.UserGroup{}, err + } + var ug models.UserGroup + err = json.Unmarshal([]byte(d), &ug) + if err != nil { + return ug, err + } + return ug, nil +} + +// ListUserGroups - lists user groups +func ListUserGroups() ([]models.UserGroup, error) { + data, err := database.FetchRecords(database.USER_GROUPS_TABLE_NAME) + if err != nil && !database.IsEmptyRecord(err) { + return []models.UserGroup{}, err + } + userGroups := []models.UserGroup{} + for _, dataI := range data { + userGroup := models.UserGroup{} + err := json.Unmarshal([]byte(dataI), &userGroup) + if err != nil { + continue + } + userGroups = append(userGroups, userGroup) + } + return userGroups, nil +} + +// UpdateUserGroup - updates new user group +func UpdateUserGroup(g models.UserGroup) error { + // check if group exists + if g.ID == "" { + return errors.New("group id cannot be empty") + } + _, err := database.FetchRecord(database.USER_GROUPS_TABLE_NAME, g.ID.String()) + if err != nil { + return err + } + d, err := json.Marshal(g) + if err != nil { + return err + } + return database.Insert(g.ID.String(), string(d), database.USER_GROUPS_TABLE_NAME) +} + +// DeleteUserGroup - deletes user group +func DeleteUserGroup(gid models.UserGroupID) error { + users, err := logic.GetUsersDB() + if err != nil { + return err + } + for _, user := range users { + delete(user.UserGroups, gid) + logic.UpsertUser(user) + } + return database.DeleteRecord(database.USER_GROUPS_TABLE_NAME, gid.String()) +} + +func HasNetworkRsrcScope(permissionTemplate models.UserRolePermissionTemplate, netid string, rsrcType models.RsrcType, rsrcID models.RsrcID, op string) bool { + if permissionTemplate.FullAccess { + return true + } + + rsrcScope, ok := permissionTemplate.NetworkLevelAccess[rsrcType] + if !ok { + return false + } + _, ok = rsrcScope[rsrcID] + return ok +} +func GetUserRAGNodes(user models.User) (gws map[string]models.Node) { + gws = make(map[string]models.Node) + userGwAccessScope := GetUserNetworkRolesWithRemoteVPNAccess(user) + logger.Log(0, fmt.Sprintf("User Gw Access Scope: %+v", userGwAccessScope)) + _, allNetAccess := userGwAccessScope["*"] + nodes, err := logic.GetAllNodes() + if err != nil { + return + } + for _, node := range nodes { + if node.IsIngressGateway && !node.PendingDelete { + if allNetAccess { + gws[node.ID.String()] = node + } else { + gwRsrcMap := userGwAccessScope[models.NetworkID(node.Network)] + scope, ok := gwRsrcMap[models.AllRemoteAccessGwRsrcID] + if !ok { + if scope, ok = gwRsrcMap[models.RsrcID(node.ID.String())]; !ok { + continue + } + } + if scope.VPNaccess { + gws[node.ID.String()] = node + } + + } + } + } + return +} + +// GetUserNetworkRoles - get user network roles +func GetUserNetworkRolesWithRemoteVPNAccess(user models.User) (gwAccess map[models.NetworkID]map[models.RsrcID]models.RsrcPermissionScope) { + gwAccess = make(map[models.NetworkID]map[models.RsrcID]models.RsrcPermissionScope) + platformRole, err := logic.GetRole(user.PlatformRoleID) + if err != nil { + return + } + if platformRole.FullAccess { + gwAccess[models.NetworkID("*")] = make(map[models.RsrcID]models.RsrcPermissionScope) + return + } + if _, ok := user.NetworkRoles[models.AllNetworks]; ok { + gwAccess[models.NetworkID("*")] = make(map[models.RsrcID]models.RsrcPermissionScope) + } + if len(user.UserGroups) > 0 { + for gID := range user.UserGroups { + userG, err := GetUserGroup(gID) + if err != nil { + continue + } + for netID, roleMap := range userG.NetworkRoles { + for roleID := range roleMap { + role, err := logic.GetRole(roleID) + if err == nil { + if role.FullAccess { + gwAccess[netID] = map[models.RsrcID]models.RsrcPermissionScope{ + models.AllRemoteAccessGwRsrcID: { + Create: true, + Read: true, + Update: true, + VPNaccess: true, + Delete: true, + }, + models.AllExtClientsRsrcID: { + Create: true, + Read: true, + Update: true, + Delete: true, + }, + } + break + } + if rsrcsMap, ok := role.NetworkLevelAccess[models.RemoteAccessGwRsrc]; ok { + if permissions, ok := rsrcsMap[models.AllRemoteAccessGwRsrcID]; ok && permissions.VPNaccess { + if len(gwAccess[netID]) == 0 { + gwAccess[netID] = make(map[models.RsrcID]models.RsrcPermissionScope) + } + gwAccess[netID][models.AllRemoteAccessGwRsrcID] = permissions + break + } else { + for gwID, scope := range rsrcsMap { + if scope.VPNaccess { + if len(gwAccess[netID]) == 0 { + gwAccess[netID] = make(map[models.RsrcID]models.RsrcPermissionScope) + } + gwAccess[netID][gwID] = scope + } + } + } + + } + + } + } + } + } + } + for netID, roleMap := range user.NetworkRoles { + for roleID := range roleMap { + role, err := logic.GetRole(roleID) + if err == nil { + if role.FullAccess { + gwAccess[netID] = map[models.RsrcID]models.RsrcPermissionScope{ + models.AllRemoteAccessGwRsrcID: { + Create: true, + Read: true, + Update: true, + VPNaccess: true, + Delete: true, + }, + models.AllExtClientsRsrcID: { + Create: true, + Read: true, + Update: true, + Delete: true, + }, + } + break + } + if rsrcsMap, ok := role.NetworkLevelAccess[models.RemoteAccessGwRsrc]; ok { + if permissions, ok := rsrcsMap[models.AllRemoteAccessGwRsrcID]; ok && permissions.VPNaccess { + if len(gwAccess[netID]) == 0 { + gwAccess[netID] = make(map[models.RsrcID]models.RsrcPermissionScope) + } + gwAccess[netID][models.AllRemoteAccessGwRsrcID] = permissions + break + } else { + for gwID, scope := range rsrcsMap { + if scope.VPNaccess { + if len(gwAccess[netID]) == 0 { + gwAccess[netID] = make(map[models.RsrcID]models.RsrcPermissionScope) + } + gwAccess[netID][gwID] = scope + } + } + } + + } + + } + } + } + + return +} + +func GetFilteredNodesByUserAccess(user models.User, nodes []models.Node) (filteredNodes []models.Node) { + + nodesMap := make(map[string]struct{}) + allNetworkRoles := make(map[models.UserRoleID]struct{}) + + if len(user.NetworkRoles) > 0 { + for _, netRoles := range user.NetworkRoles { + for netRoleI := range netRoles { + allNetworkRoles[netRoleI] = struct{}{} + } + } + } + if _, ok := user.NetworkRoles[models.AllNetworks]; ok { + return nodes + } + if len(user.UserGroups) > 0 { + for userGID := range user.UserGroups { + userG, err := GetUserGroup(userGID) + if err == nil { + if len(userG.NetworkRoles) > 0 { + if _, ok := userG.NetworkRoles[models.AllNetworks]; ok { + return nodes + } + for _, netRoles := range userG.NetworkRoles { + for netRoleI := range netRoles { + allNetworkRoles[netRoleI] = struct{}{} + } + } + } + } + } + } + for networkRoleID := range allNetworkRoles { + userPermTemplate, err := logic.GetRole(networkRoleID) + if err != nil { + continue + } + networkNodes := logic.GetNetworkNodesMemory(nodes, userPermTemplate.NetworkID.String()) + if userPermTemplate.FullAccess { + for _, node := range networkNodes { + if _, ok := nodesMap[node.ID.String()]; ok { + continue + } + nodesMap[node.ID.String()] = struct{}{} + filteredNodes = append(filteredNodes, node) + } + + continue + } + if rsrcPerms, ok := userPermTemplate.NetworkLevelAccess[models.RemoteAccessGwRsrc]; ok { + if _, ok := rsrcPerms[models.AllRemoteAccessGwRsrcID]; ok { + for _, node := range networkNodes { + if _, ok := nodesMap[node.ID.String()]; ok { + continue + } + if node.IsIngressGateway { + nodesMap[node.ID.String()] = struct{}{} + filteredNodes = append(filteredNodes, node) + } + } + } else { + for gwID, scope := range rsrcPerms { + if _, ok := nodesMap[gwID.String()]; ok { + continue + } + if scope.Read { + gwNode, err := logic.GetNodeByID(gwID.String()) + if err == nil && gwNode.IsIngressGateway { + nodesMap[gwNode.ID.String()] = struct{}{} + filteredNodes = append(filteredNodes, gwNode) + } + } + } + } + } + + } + return +} + +func FilterNetworksByRole(allnetworks []models.Network, user models.User) []models.Network { + platformRole, err := logic.GetRole(user.PlatformRoleID) + if err != nil { + return []models.Network{} + } + if !platformRole.FullAccess { + allNetworkRoles := make(map[models.NetworkID]struct{}) + if len(user.NetworkRoles) > 0 { + for netID := range user.NetworkRoles { + if netID == models.AllNetworks { + return allnetworks + } + allNetworkRoles[netID] = struct{}{} + + } + } + if len(user.UserGroups) > 0 { + for userGID := range user.UserGroups { + userG, err := GetUserGroup(userGID) + if err == nil { + if len(userG.NetworkRoles) > 0 { + for netID := range userG.NetworkRoles { + if netID == models.AllNetworks { + return allnetworks + } + allNetworkRoles[netID] = struct{}{} + + } + } + } + } + } + filteredNetworks := []models.Network{} + for _, networkI := range allnetworks { + if _, ok := allNetworkRoles[models.NetworkID(networkI.NetID)]; ok { + filteredNetworks = append(filteredNetworks, networkI) + } + } + allnetworks = filteredNetworks + } + return allnetworks +} + +func IsGroupsValid(groups map[models.UserGroupID]struct{}) error { + + for groupID := range groups { + _, err := GetUserGroup(groupID) + if err != nil { + return fmt.Errorf("user group `%s` not found", groupID) + } + } + return nil +} + +func IsNetworkRolesValid(networkRoles map[models.NetworkID]map[models.UserRoleID]struct{}) error { + for netID, netRoles := range networkRoles { + + if netID != models.AllNetworks { + _, err := logic.GetNetwork(netID.String()) + if err != nil { + return fmt.Errorf("failed to fetch network %s ", netID) + } + } + for netRoleID := range netRoles { + role, err := logic.GetRole(netRoleID) + if err != nil { + return fmt.Errorf("failed to fetch role %s ", netRoleID) + } + if role.NetworkID == "" { + return fmt.Errorf("cannot use platform as network role %s", netRoleID) + } + } + } + return nil +} + +// PrepareOauthUserFromInvite - init oauth user before create +func PrepareOauthUserFromInvite(in models.UserInvite) (models.User, error) { + var newPass, fetchErr = logic.FetchPassValue("") + if fetchErr != nil { + return models.User{}, fetchErr + } + user := models.User{ + UserName: in.Email, + Password: newPass, + } + user.UserGroups = in.UserGroups + user.NetworkRoles = in.NetworkRoles + user.PlatformRoleID = models.UserRoleID(in.PlatformRoleID) + if user.PlatformRoleID == "" { + user.PlatformRoleID = models.ServiceUser + } + return user, nil +} + +func UpdatesUserGwAccessOnRoleUpdates(currNetworkAccess, + changeNetworkAccess map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope, netID string) { + networkChangeMap := make(map[models.RsrcID]models.RsrcPermissionScope) + for rsrcType, RsrcPermsMap := range currNetworkAccess { + if rsrcType != models.RemoteAccessGwRsrc { + continue + } + if _, ok := changeNetworkAccess[rsrcType]; !ok { + for rsrcID, scope := range RsrcPermsMap { + networkChangeMap[rsrcID] = scope + } + } else { + for rsrcID, scope := range RsrcPermsMap { + if _, ok := changeNetworkAccess[rsrcType][rsrcID]; !ok { + networkChangeMap[rsrcID] = scope + } + } + } + } + + extclients, err := logic.GetAllExtClients() + if err != nil { + slog.Error("failed to fetch extclients", "error", err) + return + } + userMap, err := logic.GetUserMap() + if err != nil { + return + } + for _, extclient := range extclients { + if extclient.Network != netID { + continue + } + if _, ok := networkChangeMap[models.AllRemoteAccessGwRsrcID]; ok { + if user, ok := userMap[extclient.OwnerID]; ok { + if user.PlatformRoleID != models.ServiceUser { + continue + } + err = logic.DeleteExtClientAndCleanup(extclient) + if err != nil { + slog.Error("failed to delete extclient", + "id", extclient.ClientID, "owner", user.UserName, "error", err) + } else { + if err := mq.PublishDeletedClientPeerUpdate(&extclient); err != nil { + slog.Error("error setting ext peers: " + err.Error()) + } + } + } + continue + } + if _, ok := networkChangeMap[models.RsrcID(extclient.IngressGatewayID)]; ok { + if user, ok := userMap[extclient.OwnerID]; ok { + if user.PlatformRoleID != models.ServiceUser { + continue + } + err = logic.DeleteExtClientAndCleanup(extclient) + if err != nil { + slog.Error("failed to delete extclient", + "id", extclient.ClientID, "owner", user.UserName, "error", err) + } else { + if err := mq.PublishDeletedClientPeerUpdate(&extclient); err != nil { + slog.Error("error setting ext peers: " + err.Error()) + } + } + } + + } + + } + if servercfg.IsDNSMode() { + logic.SetDNS() + } +} + +func UpdatesUserGwAccessOnGrpUpdates(currNetworkRoles, changeNetworkRoles map[models.NetworkID]map[models.UserRoleID]struct{}) { + networkChangeMap := make(map[models.NetworkID]map[models.UserRoleID]struct{}) + for netID, networkUserRoles := range currNetworkRoles { + if _, ok := changeNetworkRoles[netID]; !ok { + for netRoleID := range networkUserRoles { + if _, ok := networkChangeMap[netID]; !ok { + networkChangeMap[netID] = make(map[models.UserRoleID]struct{}) + } + networkChangeMap[netID][netRoleID] = struct{}{} + } + } else { + for netRoleID := range networkUserRoles { + if _, ok := changeNetworkRoles[netID][netRoleID]; !ok { + if _, ok := networkChangeMap[netID]; !ok { + networkChangeMap[netID] = make(map[models.UserRoleID]struct{}) + } + networkChangeMap[netID][netRoleID] = struct{}{} + } + } + } + } + extclients, err := logic.GetAllExtClients() + if err != nil { + slog.Error("failed to fetch extclients", "error", err) + return + } + userMap, err := logic.GetUserMap() + if err != nil { + return + } + for _, extclient := range extclients { + + if _, ok := networkChangeMap[models.NetworkID(extclient.Network)]; ok { + if user, ok := userMap[extclient.OwnerID]; ok { + if user.PlatformRoleID != models.ServiceUser { + continue + } + err = logic.DeleteExtClientAndCleanup(extclient) + if err != nil { + slog.Error("failed to delete extclient", + "id", extclient.ClientID, "owner", user.UserName, "error", err) + } else { + if err := mq.PublishDeletedClientPeerUpdate(&extclient); err != nil { + slog.Error("error setting ext peers: " + err.Error()) + } + } + } + + } + + } + if servercfg.IsDNSMode() { + logic.SetDNS() + } + +} + +func UpdateUserGwAccess(currentUser, changeUser models.User) { + if changeUser.PlatformRoleID != models.ServiceUser { + return + } + + networkChangeMap := make(map[models.NetworkID]map[models.UserRoleID]struct{}) + for netID, networkUserRoles := range currentUser.NetworkRoles { + if _, ok := changeUser.NetworkRoles[netID]; !ok { + for netRoleID := range networkUserRoles { + if _, ok := networkChangeMap[netID]; !ok { + networkChangeMap[netID] = make(map[models.UserRoleID]struct{}) + } + networkChangeMap[netID][netRoleID] = struct{}{} + } + } else { + for netRoleID := range networkUserRoles { + if _, ok := changeUser.NetworkRoles[netID][netRoleID]; !ok { + if _, ok := networkChangeMap[netID]; !ok { + networkChangeMap[netID] = make(map[models.UserRoleID]struct{}) + } + networkChangeMap[netID][netRoleID] = struct{}{} + } + } + } + } + for gID := range currentUser.UserGroups { + if _, ok := changeUser.UserGroups[gID]; ok { + continue + } + userG, err := GetUserGroup(gID) + if err == nil { + for netID, networkUserRoles := range userG.NetworkRoles { + for netRoleID := range networkUserRoles { + if _, ok := networkChangeMap[netID]; !ok { + networkChangeMap[netID] = make(map[models.UserRoleID]struct{}) + } + networkChangeMap[netID][netRoleID] = struct{}{} + } + } + } + } + if len(networkChangeMap) == 0 { + return + } + // TODO - cleanup gw access when role and groups are updated + //removedGwAccess + extclients, err := logic.GetAllExtClients() + if err != nil { + slog.Error("failed to fetch extclients", "error", err) + return + } + for _, extclient := range extclients { + if extclient.OwnerID == currentUser.UserName { + if _, ok := networkChangeMap[models.NetworkID(extclient.Network)]; ok { + err = logic.DeleteExtClientAndCleanup(extclient) + if err != nil { + slog.Error("failed to delete extclient", + "id", extclient.ClientID, "owner", changeUser.UserName, "error", err) + } else { + if err := mq.PublishDeletedClientPeerUpdate(&extclient); err != nil { + slog.Error("error setting ext peers: " + err.Error()) + } + } + } + + } + } + if servercfg.IsDNSMode() { + logic.SetDNS() + } + +} diff --git a/scripts/netmaker.default.env b/scripts/netmaker.default.env index 4ccb71c2..876c2a4b 100644 --- a/scripts/netmaker.default.env +++ b/scripts/netmaker.default.env @@ -75,3 +75,14 @@ RAC_AUTO_DISABLE=false CACHING_ENABLED=true # if turned on netclient checks if peers are reachable over private/LAN address, and choose that as peer endpoint ENDPOINT_DETECTION=true +# config for sending emails +# mail server host +SMTP_HOST=smtp.gmail.com +# mail server port +SMTP_PORT=587 +# sender email +EMAIL_SENDER_ADDR= +# sender email auth +EMAIL_SENDER_AUTH= +# mail sender type (smtp or resend) +EMAIL_SENDER_TYPE=smtp \ No newline at end of file diff --git a/scripts/nm-quick.sh b/scripts/nm-quick.sh index e94cd259..ab18eed5 100755 --- a/scripts/nm-quick.sh +++ b/scripts/nm-quick.sh @@ -231,6 +231,7 @@ save_config() { ( fi if [ -n "$NETMAKER_BASE_DOMAIN" ]; then save_config_item NM_DOMAIN "$NETMAKER_BASE_DOMAIN" + save_config_item FRONTEND_URL "https://dashboard.$NETMAKER_BASE_DOMAIN" fi save_config_item UI_IMAGE_TAG "$IMAGE_TAG" # version-specific entries diff --git a/servercfg/serverconf.go b/servercfg/serverconf.go index 3090f33a..5a5916d2 100644 --- a/servercfg/serverconf.go +++ b/servercfg/serverconf.go @@ -242,6 +242,59 @@ func GetPublicBrokerEndpoint() string { } } +func GetSmtpHost() string { + v := "" + if fromEnv := os.Getenv("SMTP_HOST"); fromEnv != "" { + v = fromEnv + } else if fromCfg := config.Config.Server.SmtpHost; fromCfg != "" { + v = fromCfg + } + return v +} + +func GetSmtpPort() int { + v := 587 + if fromEnv := os.Getenv("SMTP_PORT"); fromEnv != "" { + port, err := strconv.Atoi(fromEnv) + if err == nil { + v = port + } + } else if fromCfg := config.Config.Server.SmtpPort; fromCfg != 0 { + v = fromCfg + } + return v +} + +func GetSenderEmail() string { + v := "" + if fromEnv := os.Getenv("EMAIL_SENDER_ADDR"); fromEnv != "" { + v = fromEnv + } else if fromCfg := config.Config.Server.EmailSenderAddr; fromCfg != "" { + v = fromCfg + } + return v +} + +func GetEmaiSenderAuth() string { + v := "" + if fromEnv := os.Getenv("EMAIL_SENDER_AUTH"); fromEnv != "" { + v = fromEnv + } else if fromCfg := config.Config.Server.EmailSenderAddr; fromCfg != "" { + v = fromCfg + } + return v +} + +func EmailSenderType() string { + s := "" + if fromEnv := os.Getenv("EMAIL_SENDER_TYPE"); fromEnv != "" { + s = fromEnv + } else if fromCfg := config.Config.Server.EmailSenderType; fromCfg != "" { + s = fromCfg + } + return s +} + // GetOwnerEmail - gets the owner email (saas) func GetOwnerEmail() string { return os.Getenv("SAAS_OWNER_EMAIL") @@ -472,7 +525,7 @@ func GetPublicIP() (string, error) { break } } - if err == nil && endpoint == "" { + if endpoint == "" { err = errors.New("public address not found") } return endpoint, err