mirror of
https://github.com/gravitl/netmaker.git
synced 2024-09-20 15:26:04 +08:00
replace auth checks, add network id to role model
This commit is contained in:
parent
3f2716ce37
commit
56fdd6d98e
|
@ -34,10 +34,21 @@ func userMiddleWare(handler http.Handler) http.Handler {
|
|||
r.Header.Set("TARGET_RSRC", models.NetworkRsrc.String())
|
||||
r.Header.Set("RSRC_TYPE", models.NetworkRsrc.String())
|
||||
}
|
||||
if strings.Contains(r.URL.Path, "acls") {
|
||||
r.Header.Set("TARGET_RSRC", models.AclRsrc.String())
|
||||
r.Header.Set("RSRC_TYPE", models.NetworkRsrc.String())
|
||||
}
|
||||
if strings.Contains(r.URL.Path, "extclients") {
|
||||
r.Header.Set("TARGET_RSRC", models.ExtClientsRsrc.String())
|
||||
r.Header.Set("RSRC_TYPE", models.ExtClientsRsrc.String())
|
||||
}
|
||||
if strings.Contains(r.URL.Path, "enrollment-keys") {
|
||||
r.Header.Set("TARGET_RSRC", models.EnrollmentKeysRsrc.String())
|
||||
r.Header.Set("RSRC_TYPE", models.EnrollmentKeysRsrc.String())
|
||||
}
|
||||
if keyID, ok := params["keyID"]; ok {
|
||||
r.Header.Set("TARGET_RSRC_ID", keyID)
|
||||
}
|
||||
if nodeID, ok := params["nodeid"]; ok {
|
||||
r.Header.Set("TARGET_RSRC_ID", nodeID)
|
||||
}
|
||||
|
@ -53,7 +64,7 @@ func userMiddleWare(handler http.Handler) http.Handler {
|
|||
if userID, ok := params["username"]; ok {
|
||||
r.Header.Set("TARGET_RSRC_ID", userID)
|
||||
}
|
||||
if r.Header.Get("TARGET_RSRC_ID") == "" {
|
||||
if r.Header.Get("TARGET_RSRC_ID") == "" || r.Header.Get("TARGET_RSRC") == models.EnrollmentKeysRsrc.String() {
|
||||
r.Header.Set("IS_GLOBAL_ACCESS", "yes")
|
||||
}
|
||||
handler.ServeHTTP(w, r)
|
||||
|
|
|
@ -21,8 +21,8 @@ var hostIDHeader = "host-id"
|
|||
|
||||
func nodeHandlers(r *mux.Router) {
|
||||
|
||||
r.HandleFunc("/api/nodes", Authorize(false, false, "user", http.HandlerFunc(getAllNodes))).Methods(http.MethodGet)
|
||||
r.HandleFunc("/api/nodes/{network}", Authorize(false, true, "network", http.HandlerFunc(getNetworkNodes))).Methods(http.MethodGet)
|
||||
r.HandleFunc("/api/nodes", logic.SecurityCheck(true, http.HandlerFunc(createEnrollmentKey))).Methods(http.MethodGet)
|
||||
r.HandleFunc("/api/nodes/{network}", logic.SecurityCheck(true, http.HandlerFunc(getNetworkNodes))).Methods(http.MethodGet)
|
||||
r.HandleFunc("/api/nodes/{network}/{nodeid}", Authorize(true, true, "node", http.HandlerFunc(getNode))).Methods(http.MethodGet)
|
||||
r.HandleFunc("/api/nodes/{network}/{nodeid}", logic.SecurityCheck(true, http.HandlerFunc(updateNode))).Methods(http.MethodPut)
|
||||
r.HandleFunc("/api/nodes/{network}/{nodeid}", Authorize(true, true, "node", http.HandlerFunc(deleteNode))).Methods(http.MethodDelete)
|
||||
|
|
|
@ -38,10 +38,10 @@ func serverHandlers(r *mux.Router) {
|
|||
).Methods(http.MethodPost)
|
||||
r.HandleFunc("/api/server/getconfig", allowUsers(http.HandlerFunc(getConfig))).
|
||||
Methods(http.MethodGet)
|
||||
r.HandleFunc("/api/server/getserverinfo", Authorize(true, false, "node", http.HandlerFunc(getServerInfo))).
|
||||
r.HandleFunc("/api/server/getserverinfo", logic.SecurityCheck(true, http.HandlerFunc(getServerInfo))).
|
||||
Methods(http.MethodGet)
|
||||
r.HandleFunc("/api/server/status", getStatus).Methods(http.MethodGet)
|
||||
r.HandleFunc("/api/server/usage", Authorize(true, false, "user", http.HandlerFunc(getUsage))).
|
||||
r.HandleFunc("/api/server/usage", logic.SecurityCheck(false, http.HandlerFunc(getUsage))).
|
||||
Methods(http.MethodGet)
|
||||
}
|
||||
|
||||
|
|
|
@ -37,7 +37,7 @@ func userHandlers(r *mux.Router) {
|
|||
r.HandleFunc("/api/users_pending/user/{username}", logic.SecurityCheck(true, http.HandlerFunc(deletePendingUser))).Methods(http.MethodDelete)
|
||||
r.HandleFunc("/api/users_pending/user/{username}", logic.SecurityCheck(true, http.HandlerFunc(approvePendingUser))).Methods(http.MethodPost)
|
||||
|
||||
// User Role handlers
|
||||
// User Role Handlers
|
||||
r.HandleFunc("/api/v1/user/roles", logic.SecurityCheck(true, http.HandlerFunc(listRoles))).Methods(http.MethodGet)
|
||||
r.HandleFunc("/api/v1/user/role", logic.SecurityCheck(true, http.HandlerFunc(getRole))).Methods(http.MethodGet)
|
||||
r.HandleFunc("/api/v1/user/role", logic.SecurityCheck(true, http.HandlerFunc(createRole))).Methods(http.MethodPost)
|
||||
|
@ -259,6 +259,11 @@ func createRole(w http.ResponseWriter, r *http.Request) {
|
|||
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
|
||||
return
|
||||
}
|
||||
if userRole.NetworkID == "" {
|
||||
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "only network roles are allowed to be created"))
|
||||
return
|
||||
}
|
||||
userRole.GlobalLevelAccess = make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope)
|
||||
err = logic.CreateRole(userRole)
|
||||
if err != nil {
|
||||
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
||||
|
|
|
@ -14,6 +14,7 @@ var SuperAdminPermissionTemplate = models.UserRolePermissionTemplate{
|
|||
Default: true,
|
||||
FullAccess: true,
|
||||
}
|
||||
|
||||
var AdminPermissionTemplate = models.UserRolePermissionTemplate{
|
||||
ID: models.AdminRole,
|
||||
Default: true,
|
||||
|
@ -23,7 +24,7 @@ var AdminPermissionTemplate = models.UserRolePermissionTemplate{
|
|||
var NetworkAdminPermissionTemplate = models.UserRolePermissionTemplate{
|
||||
ID: models.NetworkAdmin,
|
||||
Default: true,
|
||||
IsNetworkRole: true,
|
||||
NetworkID: "netmaker",
|
||||
FullAccess: true,
|
||||
NetworkLevelAccess: make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope),
|
||||
}
|
||||
|
@ -32,6 +33,7 @@ var NetworkUserPermissionTemplate = models.UserRolePermissionTemplate{
|
|||
ID: models.NetworkUser,
|
||||
Default: true,
|
||||
FullAccess: false,
|
||||
NetworkID: "netmaker",
|
||||
DenyDashboardAccess: false,
|
||||
NetworkLevelAccess: map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope{
|
||||
models.RemoteAccessGwRsrc: {
|
||||
|
@ -39,6 +41,14 @@ var NetworkUserPermissionTemplate = models.UserRolePermissionTemplate{
|
|||
Read: true,
|
||||
},
|
||||
},
|
||||
models.ExtClientsRsrc: {
|
||||
models.AllExtClientsRsrcID: models.RsrcPermissionScope{
|
||||
Read: true,
|
||||
Create: true,
|
||||
Update: true,
|
||||
Delete: true,
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
|
|
|
@ -35,14 +35,15 @@ const (
|
|||
AllHostRsrcID RsrcID = "all_host"
|
||||
AllRelayRsrcID RsrcID = "all_relay"
|
||||
AllRemoteAccessGwRsrcID RsrcID = "all_remote_access_gw"
|
||||
AllExtClientsRsrc RsrcID = "all_extclients"
|
||||
AllExtClientsRsrcID RsrcID = "all_extclients"
|
||||
AllInetGwRsrcID RsrcID = "all_inet_gw"
|
||||
AllEgressGwRsrcID RsrcID = "all_egress"
|
||||
AllNetworkRsrcID RsrcID = "all_network"
|
||||
AllEnrollmentKeysRsrcID RsrcID = "all_enrollment_key"
|
||||
AllUserRsrcID RsrcID = "all_user"
|
||||
AllDnsRsrcID RsrcID = "all_dns"
|
||||
AllFailOverRsrc RsrcID = "all_fail_over"
|
||||
AllFailOverRsrcID RsrcID = "all_fail_over"
|
||||
AllAclsRsrcID RsrcID = "all_acls"
|
||||
)
|
||||
|
||||
// Pre-Defined User Roles
|
||||
|
@ -74,7 +75,7 @@ type UserRolePermissionTemplate struct {
|
|||
Default bool `json:"default"`
|
||||
DenyDashboardAccess bool `json:"deny_dashboard_access"`
|
||||
FullAccess bool `json:"full_access"`
|
||||
IsNetworkRole bool `json:"network_role"`
|
||||
NetworkID string `json:"network_id"`
|
||||
NetworkLevelAccess map[RsrcType]map[RsrcID]RsrcPermissionScope `json:"network_level_access"`
|
||||
GlobalLevelAccess map[RsrcType]map[RsrcID]RsrcPermissionScope `json:"global_level_access"`
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue