allow multiple network roles

2025-09-13 08:34:44 +08:00 · 2024-06-25 00:09:24 +05:30 · 2024-06-25 00:09:24 +05:30 · 49c2e60744
commit 49c2e60744
parent e326c0fd49
4 changed files with 83 additions and 41 deletions
--- a/controllers/user.go
+++ b/controllers/user.go
@ -642,6 +642,20 @@ func createUser(w http.ResponseWriter, r *http.Request) {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
 		return
 	}
+	uniqueGroupsPlatformRole := make(map[models.UserRole]struct{})
+	for groupID := range user.UserGroups {
+		userG, err := logic.GetUserGroup(groupID)
+		if err != nil {
+			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
+			return
+		}
+		uniqueGroupsPlatformRole[userG.PlatformRole] = struct{}{}
+	}
+	if len(uniqueGroupsPlatformRole) > 1 {
+		err = errors.New("only groups with same platform role can be assigned to an user")
+		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
+		return
+	}
 	if !caller.IsSuperAdmin && user.IsAdmin {
 		err = errors.New("only superadmin can create admin users")
 		slog.Error("error creating new user: ", "user", user.UserName, "error", err)
--- a/logic/security.go
+++ b/logic/security.go
@ -51,31 +51,20 @@ func networkPermissionsCheck(username string, r *http.Request) error {
 	// TODO - differentitate between global scope and network scope apis
 	netRoles := user.NetworkRoles[models.NetworkID(netID)]
 	for netRoleID := range netRoles {
-		networkPermissionScope, err := GetRole(netRoleID)
-		if err != nil {
-			continue
-		}
-		if networkPermissionScope.FullAccess {
+		err = checkNetworkAccessPermissions(netRoleID, r.Method, targetRsrc, targetRsrcID)
+		if err == nil {
 			return nil
 		}
-		rsrcPermissionScope, ok := networkPermissionScope.NetworkLevelAccess[models.RsrcType(targetRsrc)]
-		if !ok {
-			continue
-		}
-		if allRsrcsTypePermissionScope, ok := rsrcPermissionScope[models.RsrcID(fmt.Sprintf("all_%s", targetRsrc))]; ok {
-			err = checkPermissionScopeWithReqMethod(allRsrcsTypePermissionScope, r.Method)
-			if err == nil {
-				return nil
-			}
-
-		}
-		if targetRsrcID == "" {
-			continue
-		}
-		if scope, ok := rsrcPermissionScope[models.RsrcID(targetRsrcID)]; ok {
-			err = checkPermissionScopeWithReqMethod(scope, r.Method)
-			if err == nil {
-				return nil
+	}
+	for groupID := range user.UserGroups {
+		userG, err := GetUserGroup(groupID)
+		if err == nil {
+			netRoles := userG.NetworkRoles[models.NetworkID(netID)]
+			for netRoleID := range netRoles {
+				err = checkNetworkAccessPermissions(netRoleID, r.Method, targetRsrc, targetRsrcID)
+				if err == nil {
+					return nil
+				}
 			}
 		}
 	}
@ -83,6 +72,37 @@ func networkPermissionsCheck(username string, r *http.Request) error {
 	return errors.New("access denied")
 }

+func checkNetworkAccessPermissions(netRoleID models.UserRole, reqScope, targetRsrc, targetRsrcID string) error {
+	networkPermissionScope, err := GetRole(netRoleID)
+	if err != nil {
+		return err
+	}
+	if networkPermissionScope.FullAccess {
+		return nil
+	}
+	rsrcPermissionScope, ok := networkPermissionScope.NetworkLevelAccess[models.RsrcType(targetRsrc)]
+	if !ok {
+		return errors.New("access denied")
+	}
+	if allRsrcsTypePermissionScope, ok := rsrcPermissionScope[models.RsrcID(fmt.Sprintf("all_%s", targetRsrc))]; ok {
+		err = checkPermissionScopeWithReqMethod(allRsrcsTypePermissionScope, reqScope)
+		if err == nil {
+			return nil
+		}
+
+	}
+	if targetRsrcID == "" {
+		return errors.New("target rsrc id is empty")
+	}
+	if scope, ok := rsrcPermissionScope[models.RsrcID(targetRsrcID)]; ok {
+		err = checkPermissionScopeWithReqMethod(scope, reqScope)
+		if err == nil {
+			return nil
+		}
+	}
+	return errors.New("access denied")
+}
+
 func globalPermissionsCheck(username string, r *http.Request) error {
 	user, err := GetUser(username)
 	if err != nil {
--- a/logic/user_mgmt.go
+++ b/logic/user_mgmt.go
@ -30,7 +30,7 @@ var ServiceUserPermissionTemplate = models.UserRolePermissionTemplate{
 var NetworkAdminPermissionTemplate = models.UserRolePermissionTemplate{
 	ID:                 models.NetworkAdmin,
 	Default:            true,
-	NetworkID:          "*",
+	NetworkID:          "netmaker",
 	FullAccess:         true,
 	NetworkLevelAccess: make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope),
 }
@ -39,7 +39,7 @@ var NetworkUserPermissionTemplate = models.UserRolePermissionTemplate{
 	ID:                  models.NetworkUser,
 	Default:             true,
 	FullAccess:          false,
-	NetworkID:           "*",
+	NetworkID:           "netmaker",
 	DenyDashboardAccess: false,
 	NetworkLevelAccess: map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope{
 		models.RemoteAccessGwRsrc: {
@ -49,10 +49,11 @@ var NetworkUserPermissionTemplate = models.UserRolePermissionTemplate{
 		},
 		models.ExtClientsRsrc: {
 			models.AllExtClientsRsrcID: models.RsrcPermissionScope{
-				Read:   true,
-				Create: true,
-				Update: true,
-				Delete: true,
+				Read:      true,
+				Create:    true,
+				Update:    true,
+				Delete:    true,
+				VPNaccess: true,
 			},
 		},
 	},
@ -146,16 +147,23 @@ func DeleteRole(rid models.UserRole) error {
 	if err != nil {
 		return err
 	}
+	role, err := GetRole(rid)
+	if err != nil {
+		return err
+	}
 	for _, user := range users {
 		for userG := range user.UserGroups {
 			ug, err := GetUserGroup(userG)
 			if err == nil {
-				for _, networkRole := range ug.NetworkRoles {
-					if networkRole == rid {
-						err = errors.New("role cannot be deleted as active user groups are using this role")
-						return err
+				if role.NetworkID != "" {
+					for _, networkRoles := range ug.NetworkRoles {
+						if _, ok := networkRoles[rid]; ok {
+							err = errors.New("role cannot be deleted as active user groups are using this role")
+							return err
+						}
 					}
 				}
+
 			}
 		}

@ -164,12 +172,11 @@ func DeleteRole(rid models.UserRole) error {
 			return err
 		}
 		for _, networkRoles := range user.NetworkRoles {
-			for networkRole := range networkRoles {
-				if networkRole == rid {
-					err = errors.New("active roles cannot be deleted.switch existing users to a new role before deleting")
-					return err
-				}
+			if _, ok := networkRoles[rid]; ok {
+				err = errors.New("active roles cannot be deleted.switch existing users to a new role before deleting")
+				return err
 			}
+
 		}
 	}
 	return database.DeleteRecord(database.USER_PERMISSIONS_TABLE_NAME, rid.String())
--- a/models/user_mgmt.go
+++ b/models/user_mgmt.go
@ -87,9 +87,10 @@ type UserRolePermissionTemplate struct {
 }

 type UserGroup struct {
-	ID           string                 `json:"id"`
-	NetworkRoles map[NetworkID]UserRole `json:"network_roles"`
-	MetaData     string                 `json:"meta_data"`
+	ID           string                              `json:"id"`
+	PlatformRole UserRole                            `json:"platform_role"`
+	NetworkRoles map[NetworkID]map[UserRole]struct{} `json:"network_roles"`
+	MetaData     string                              `json:"meta_data"`
 }

 // User struct - struct for Users