mirror of
https://github.com/gravitl/netmaker.git
synced 2024-09-21 07:46:04 +08:00
admin user auth working
This commit is contained in:
parent
02ec2df48a
commit
4f531e1c54
|
@ -1,8 +0,0 @@
|
|||
skynet {
|
||||
reload 15s
|
||||
hosts /root/dnsconfig/netmaker.hosts {
|
||||
fallthrough
|
||||
}
|
||||
forward . 8.8.8.8 8.8.4.4
|
||||
log
|
||||
}
|
|
@ -1 +0,0 @@
|
|||
10.0.0.1 node-4bukt.skynet
|
|
@ -1,17 +0,0 @@
|
|||
server:
|
||||
host: "localhost"
|
||||
apiport: "8081"
|
||||
grpcport: "50051"
|
||||
masterkey: "secretkey"
|
||||
allowedorigin: "*"
|
||||
restbackend: true
|
||||
agentbackend: true
|
||||
defaultnetname: "default"
|
||||
defaultnetrange: "10.10.10.0/24"
|
||||
createdefault: true
|
||||
mongoconn:
|
||||
user: "mongoadmin"
|
||||
pass: "mongopass"
|
||||
host: "localhost"
|
||||
port: "27017"
|
||||
opts: '/?authSource=admin'
|
|
@ -64,10 +64,6 @@ func SecurityCheck(netname, token string) error {
|
|||
return err
|
||||
}
|
||||
if hasnetwork && !networkexists {
|
||||
//errorResponse = models.ErrorResponse{
|
||||
// Code: http.StatusNotFound, Message: "W1R3: This network does not exist.",
|
||||
//}
|
||||
//returnErrorResponse(w, r, errorResponse)
|
||||
return errors.New("This network does not exist")
|
||||
}
|
||||
|
||||
|
@ -81,14 +77,12 @@ func SecurityCheck(netname, token string) error {
|
|||
authToken = tokenSplit[1]
|
||||
}
|
||||
//all endpoints here require master so not as complicated
|
||||
//still might not be a good way of doing this
|
||||
if !hasBearer || !authenticateMaster(authToken) {
|
||||
//errorResponse = models.ErrorResponse{
|
||||
// Code: http.StatusUnauthorized, Message: "W1R3: You are unauthorized to access this endpoint.",
|
||||
// }
|
||||
// returnErrorResponse(w, r, errorResponse)
|
||||
return errors.New("You are unauthorized to access this endpoint")
|
||||
} //else {
|
||||
_, isadmin, err := functions.VerifyUserToken(authToken)
|
||||
if err != nil || !isadmin {
|
||||
return errors.New("You are unauthorized to access this endpoint")
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
|
@ -32,7 +32,6 @@ func nodeHandlers(r *mux.Router) {
|
|||
r.HandleFunc("/api/nodes/{network}/{macaddress}/deleteingress", securityCheck(http.HandlerFunc(deleteIngressGateway))).Methods("DELETE")
|
||||
r.HandleFunc("/api/nodes/{network}/{macaddress}/approve", authorize(true, "master", http.HandlerFunc(uncordonNode))).Methods("POST")
|
||||
r.HandleFunc("/api/nodes/{network}", createNode).Methods("POST")
|
||||
//r.HandleFunc("/api/register", registerClient).Methods("POST")
|
||||
r.HandleFunc("/api/nodes/adm/{network}/lastmodified", authorize(true, "network", http.HandlerFunc(getLastModified))).Methods("GET")
|
||||
r.HandleFunc("/api/nodes/adm/{network}/authenticate", authenticate).Methods("POST")
|
||||
|
||||
|
@ -184,17 +183,24 @@ func authorize(networkCheck bool, authNetwork string, next http.Handler) http.Ha
|
|||
//A: the token is the master password
|
||||
//B: the token corresponds to a mac address, and if so, which one
|
||||
//TODO: There's probably a better way of dealing with the "master token"/master password. Plz Halp.
|
||||
macaddress, _, err := functions.VerifyToken(authToken)
|
||||
if err != nil {
|
||||
errorResponse = models.ErrorResponse{
|
||||
Code: http.StatusUnauthorized, Message: "W1R3: Error Verifying Auth Token.",
|
||||
|
||||
var isAuthorized = false
|
||||
var macaddress = ""
|
||||
_, isadmin, errN := functions.VerifyUserToken(authToken)
|
||||
if errN == nil && isadmin {
|
||||
macaddress = "mastermac"
|
||||
isAuthorized = true
|
||||
} else {
|
||||
mac, _, err := functions.VerifyToken(authToken)
|
||||
if err != nil {
|
||||
errorResponse = models.ErrorResponse{
|
||||
Code: http.StatusUnauthorized, Message: "W1R3: Error Verifying Auth Token.",
|
||||
}
|
||||
returnErrorResponse(w, r, errorResponse)
|
||||
return
|
||||
}
|
||||
returnErrorResponse(w, r, errorResponse)
|
||||
return
|
||||
macaddress = mac
|
||||
}
|
||||
|
||||
var isAuthorized = false
|
||||
|
||||
//The mastermac (login with masterkey from config) can do everything!! May be dangerous.
|
||||
if macaddress == "mastermac" {
|
||||
isAuthorized = true
|
||||
|
|
|
@ -2,6 +2,7 @@ package controller
|
|||
|
||||
import (
|
||||
"github.com/gravitl/netmaker/models"
|
||||
"github.com/gravitl/netmaker/functions"
|
||||
"github.com/gravitl/netmaker/serverctl"
|
||||
"github.com/gravitl/netmaker/servercfg"
|
||||
"encoding/json"
|
||||
|
@ -38,13 +39,16 @@ func securityCheckServer(next http.Handler) http.HandlerFunc {
|
|||
}
|
||||
//all endpoints here require master so not as complicated
|
||||
//still might not be a good way of doing this
|
||||
if !hasBearer || !authenticateMasterServer(authToken) {
|
||||
errorResponse = models.ErrorResponse{
|
||||
Code: http.StatusUnauthorized, Message: "W1R3: You are unauthorized to access this endpoint.",
|
||||
_, isadmin, err := functions.VerifyUserToken(authToken)
|
||||
if err != nil || !isadmin {
|
||||
if (!hasBearer || !authenticateMasterServer(authToken)) && !isadmin {
|
||||
errorResponse = models.ErrorResponse{
|
||||
Code: http.StatusUnauthorized, Message: "W1R3: You are unauthorized to access this endpoint.",
|
||||
}
|
||||
returnErrorResponse(w, r, errorResponse)
|
||||
} else {
|
||||
next.ServeHTTP(w, r)
|
||||
}
|
||||
returnErrorResponse(w, r, errorResponse)
|
||||
} else {
|
||||
next.ServeHTTP(w, r)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -126,7 +126,7 @@ func authorizeUser(next http.Handler) http.HandlerFunc {
|
|||
|
||||
//get the auth token
|
||||
bearerToken := r.Header.Get("Authorization")
|
||||
err := ValidateToken(bearerToken)
|
||||
err := ValidateUserToken(bearerToken)
|
||||
if err != nil {
|
||||
returnErrorResponse(w, r, formatError(err, "unauthorized"))
|
||||
return
|
||||
|
@ -135,7 +135,7 @@ func authorizeUser(next http.Handler) http.HandlerFunc {
|
|||
}
|
||||
}
|
||||
|
||||
func ValidateToken(token string) error {
|
||||
func ValidateUserToken(token string) error {
|
||||
var tokenSplit = strings.Split(token, " ")
|
||||
|
||||
//I put this in in case the user doesn't put in a token at all (in which case it's empty)
|
||||
|
@ -148,10 +148,6 @@ func ValidateToken(token string) error {
|
|||
return errors.New("Missing Auth Token.")
|
||||
}
|
||||
|
||||
//This checks if
|
||||
//A: the token is the master password
|
||||
//B: the token corresponds to a mac address, and if so, which one
|
||||
//TODO: There's probably a better way of dealing with the "master token"/master password. Plz Halp.
|
||||
username, _, err := functions.VerifyUserToken(authToken)
|
||||
if err != nil {
|
||||
return errors.New("Error Verifying Auth Token")
|
||||
|
|
Loading…
Reference in a new issue