From 56fdd6d98e5be195e6a4d03a385009bc8935d343 Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Sat, 22 Jun 2024 17:32:38 +0530 Subject: [PATCH] replace auth checks, add network id to role model --- controllers/middleware.go | 13 ++++++++++++- controllers/node.go | 4 ++-- controllers/server.go | 4 ++-- controllers/user.go | 7 ++++++- logic/user_mgmt.go | 12 +++++++++++- models/user_mgmt.go | 7 ++++--- 6 files changed, 37 insertions(+), 10 deletions(-) diff --git a/controllers/middleware.go b/controllers/middleware.go index 6ea9bf8a..e27f4568 100644 --- a/controllers/middleware.go +++ b/controllers/middleware.go @@ -34,10 +34,21 @@ func userMiddleWare(handler http.Handler) http.Handler { r.Header.Set("TARGET_RSRC", models.NetworkRsrc.String()) r.Header.Set("RSRC_TYPE", models.NetworkRsrc.String()) } + if strings.Contains(r.URL.Path, "acls") { + r.Header.Set("TARGET_RSRC", models.AclRsrc.String()) + r.Header.Set("RSRC_TYPE", models.NetworkRsrc.String()) + } if strings.Contains(r.URL.Path, "extclients") { r.Header.Set("TARGET_RSRC", models.ExtClientsRsrc.String()) r.Header.Set("RSRC_TYPE", models.ExtClientsRsrc.String()) } + if strings.Contains(r.URL.Path, "enrollment-keys") { + r.Header.Set("TARGET_RSRC", models.EnrollmentKeysRsrc.String()) + r.Header.Set("RSRC_TYPE", models.EnrollmentKeysRsrc.String()) + } + if keyID, ok := params["keyID"]; ok { + r.Header.Set("TARGET_RSRC_ID", keyID) + } if nodeID, ok := params["nodeid"]; ok { r.Header.Set("TARGET_RSRC_ID", nodeID) } @@ -53,7 +64,7 @@ func userMiddleWare(handler http.Handler) http.Handler { if userID, ok := params["username"]; ok { r.Header.Set("TARGET_RSRC_ID", userID) } - if r.Header.Get("TARGET_RSRC_ID") == "" { + if r.Header.Get("TARGET_RSRC_ID") == "" || r.Header.Get("TARGET_RSRC") == models.EnrollmentKeysRsrc.String() { r.Header.Set("IS_GLOBAL_ACCESS", "yes") } handler.ServeHTTP(w, r) diff --git a/controllers/node.go b/controllers/node.go index ed104b35..1b14943e 100644 --- a/controllers/node.go +++ b/controllers/node.go @@ -21,8 +21,8 @@ var hostIDHeader = "host-id" func nodeHandlers(r *mux.Router) { - r.HandleFunc("/api/nodes", Authorize(false, false, "user", http.HandlerFunc(getAllNodes))).Methods(http.MethodGet) - r.HandleFunc("/api/nodes/{network}", Authorize(false, true, "network", http.HandlerFunc(getNetworkNodes))).Methods(http.MethodGet) + r.HandleFunc("/api/nodes", logic.SecurityCheck(true, http.HandlerFunc(createEnrollmentKey))).Methods(http.MethodGet) + r.HandleFunc("/api/nodes/{network}", logic.SecurityCheck(true, http.HandlerFunc(getNetworkNodes))).Methods(http.MethodGet) r.HandleFunc("/api/nodes/{network}/{nodeid}", Authorize(true, true, "node", http.HandlerFunc(getNode))).Methods(http.MethodGet) r.HandleFunc("/api/nodes/{network}/{nodeid}", logic.SecurityCheck(true, http.HandlerFunc(updateNode))).Methods(http.MethodPut) r.HandleFunc("/api/nodes/{network}/{nodeid}", Authorize(true, true, "node", http.HandlerFunc(deleteNode))).Methods(http.MethodDelete) diff --git a/controllers/server.go b/controllers/server.go index 6e96688c..2efd6d65 100644 --- a/controllers/server.go +++ b/controllers/server.go @@ -38,10 +38,10 @@ func serverHandlers(r *mux.Router) { ).Methods(http.MethodPost) r.HandleFunc("/api/server/getconfig", allowUsers(http.HandlerFunc(getConfig))). Methods(http.MethodGet) - r.HandleFunc("/api/server/getserverinfo", Authorize(true, false, "node", http.HandlerFunc(getServerInfo))). + r.HandleFunc("/api/server/getserverinfo", logic.SecurityCheck(true, http.HandlerFunc(getServerInfo))). Methods(http.MethodGet) r.HandleFunc("/api/server/status", getStatus).Methods(http.MethodGet) - r.HandleFunc("/api/server/usage", Authorize(true, false, "user", http.HandlerFunc(getUsage))). + r.HandleFunc("/api/server/usage", logic.SecurityCheck(false, http.HandlerFunc(getUsage))). Methods(http.MethodGet) } diff --git a/controllers/user.go b/controllers/user.go index 583d1d35..db9af948 100644 --- a/controllers/user.go +++ b/controllers/user.go @@ -37,7 +37,7 @@ func userHandlers(r *mux.Router) { r.HandleFunc("/api/users_pending/user/{username}", logic.SecurityCheck(true, http.HandlerFunc(deletePendingUser))).Methods(http.MethodDelete) r.HandleFunc("/api/users_pending/user/{username}", logic.SecurityCheck(true, http.HandlerFunc(approvePendingUser))).Methods(http.MethodPost) - // User Role handlers + // User Role Handlers r.HandleFunc("/api/v1/user/roles", logic.SecurityCheck(true, http.HandlerFunc(listRoles))).Methods(http.MethodGet) r.HandleFunc("/api/v1/user/role", logic.SecurityCheck(true, http.HandlerFunc(getRole))).Methods(http.MethodGet) r.HandleFunc("/api/v1/user/role", logic.SecurityCheck(true, http.HandlerFunc(createRole))).Methods(http.MethodPost) @@ -259,6 +259,11 @@ func createRole(w http.ResponseWriter, r *http.Request) { logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest")) return } + if userRole.NetworkID == "" { + logic.ReturnErrorResponse(w, r, logic.FormatError(err, "only network roles are allowed to be created")) + return + } + userRole.GlobalLevelAccess = make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope) err = logic.CreateRole(userRole) if err != nil { logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal")) diff --git a/logic/user_mgmt.go b/logic/user_mgmt.go index 82044db0..16225e4c 100644 --- a/logic/user_mgmt.go +++ b/logic/user_mgmt.go @@ -14,6 +14,7 @@ var SuperAdminPermissionTemplate = models.UserRolePermissionTemplate{ Default: true, FullAccess: true, } + var AdminPermissionTemplate = models.UserRolePermissionTemplate{ ID: models.AdminRole, Default: true, @@ -23,7 +24,7 @@ var AdminPermissionTemplate = models.UserRolePermissionTemplate{ var NetworkAdminPermissionTemplate = models.UserRolePermissionTemplate{ ID: models.NetworkAdmin, Default: true, - IsNetworkRole: true, + NetworkID: "netmaker", FullAccess: true, NetworkLevelAccess: make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope), } @@ -32,6 +33,7 @@ var NetworkUserPermissionTemplate = models.UserRolePermissionTemplate{ ID: models.NetworkUser, Default: true, FullAccess: false, + NetworkID: "netmaker", DenyDashboardAccess: false, NetworkLevelAccess: map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope{ models.RemoteAccessGwRsrc: { @@ -39,6 +41,14 @@ var NetworkUserPermissionTemplate = models.UserRolePermissionTemplate{ Read: true, }, }, + models.ExtClientsRsrc: { + models.AllExtClientsRsrcID: models.RsrcPermissionScope{ + Read: true, + Create: true, + Update: true, + Delete: true, + }, + }, }, } diff --git a/models/user_mgmt.go b/models/user_mgmt.go index 76f7be54..f10d612a 100644 --- a/models/user_mgmt.go +++ b/models/user_mgmt.go @@ -35,14 +35,15 @@ const ( AllHostRsrcID RsrcID = "all_host" AllRelayRsrcID RsrcID = "all_relay" AllRemoteAccessGwRsrcID RsrcID = "all_remote_access_gw" - AllExtClientsRsrc RsrcID = "all_extclients" + AllExtClientsRsrcID RsrcID = "all_extclients" AllInetGwRsrcID RsrcID = "all_inet_gw" AllEgressGwRsrcID RsrcID = "all_egress" AllNetworkRsrcID RsrcID = "all_network" AllEnrollmentKeysRsrcID RsrcID = "all_enrollment_key" AllUserRsrcID RsrcID = "all_user" AllDnsRsrcID RsrcID = "all_dns" - AllFailOverRsrc RsrcID = "all_fail_over" + AllFailOverRsrcID RsrcID = "all_fail_over" + AllAclsRsrcID RsrcID = "all_acls" ) // Pre-Defined User Roles @@ -74,7 +75,7 @@ type UserRolePermissionTemplate struct { Default bool `json:"default"` DenyDashboardAccess bool `json:"deny_dashboard_access"` FullAccess bool `json:"full_access"` - IsNetworkRole bool `json:"network_role"` + NetworkID string `json:"network_id"` NetworkLevelAccess map[RsrcType]map[RsrcID]RsrcPermissionScope `json:"network_level_access"` GlobalLevelAccess map[RsrcType]map[RsrcID]RsrcPermissionScope `json:"global_level_access"` }