gravitl/netmaker
1
1
Fork 0
mirror of https://github.com/gravitl/netmaker.git synced 2025-11-09 16:21:01 +08:00
Code Issues Projects Releases Packages Wiki Activity

fix middleware for global access

Browse source
This commit is contained in:
abhishek9686 2024-08-01 17:42:37 +05:30
parent 3820e7dcfe
commit 5f53887c0e
5 changed files with 18 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
controllers/middleware.go
View file

@ -33,6 +33,9 @@ func userMiddleWare(handler http.Handler) http.Handler {
if strings.Contains(r.URL.Path, "ingress") { if strings.Contains(r.URL.Path, "ingress") {
r.Header.Set("TARGET_RSRC", models.RemoteAccessGwRsrc.String()) r.Header.Set("TARGET_RSRC", models.RemoteAccessGwRsrc.String())
} }
if strings.Contains(r.URL.Path, "createrelay") || strings.Contains(r.URL.Path, "deleterelay") {
r.Header.Set("TARGET_RSRC", models.RelayRsrc.String())
}
if strings.Contains(r.URL.Path, "gateway") { if strings.Contains(r.URL.Path, "gateway") {
r.Header.Set("TARGET_RSRC", models.EgressGwRsrc.String()) r.Header.Set("TARGET_RSRC", models.EgressGwRsrc.String())
} }

4
pro/controllers/relay.go
View file

@ -19,8 +19,8 @@ import (
// RelayHandlers - handle Pro Relays // RelayHandlers - handle Pro Relays
func RelayHandlers(r *mux.Router) { func RelayHandlers(r *mux.Router) {
r.HandleFunc("/api/nodes/{network}/{nodeid}/createrelay", controller.Authorize(false, true, "user", http.HandlerFunc(createRelay))).Methods(http.MethodPost) r.HandleFunc("/api/nodes/{network}/{nodeid}/createrelay", logic.SecurityCheck(true, http.HandlerFunc(createRelay))).Methods(http.MethodPost)
r.HandleFunc("/api/nodes/{network}/{nodeid}/deleterelay", controller.Authorize(false, true, "user", http.HandlerFunc(deleteRelay))).Methods(http.MethodDelete) r.HandleFunc("/api/nodes/{network}/{nodeid}/deleterelay", logic.SecurityCheck(true, http.HandlerFunc(deleteRelay))).Methods(http.MethodDelete)
r.HandleFunc("/api/v1/host/{hostid}/failoverme", controller.Authorize(true, false, "host", http.HandlerFunc(failOverME))).Methods(http.MethodPost) r.HandleFunc("/api/v1/host/{hostid}/failoverme", controller.Authorize(true, false, "host", http.HandlerFunc(failOverME))).Methods(http.MethodPost)
} }

2
pro/controllers/users.go
View file

@ -33,7 +33,7 @@ func UserHandlers(r *mux.Router) {
// User Role Handlers // User Role Handlers
r.HandleFunc("/api/v1/users/roles", logic.SecurityCheck(true, http.HandlerFunc(listRoles))).Methods(http.MethodGet) r.HandleFunc("/api/v1/users/roles", logic.SecurityCheck(true, http.HandlerFunc(listRoles))).Methods(http.MethodGet)
r.HandleFunc("/api/v1/users/role", getRole).Methods(http.MethodGet) r.HandleFunc("/api/v1/users/role", logic.SecurityCheck(true, http.HandlerFunc(getRole))).Methods(http.MethodGet)
r.HandleFunc("/api/v1/users/role", logic.SecurityCheck(true, http.HandlerFunc(createRole))).Methods(http.MethodPost) r.HandleFunc("/api/v1/users/role", logic.SecurityCheck(true, http.HandlerFunc(createRole))).Methods(http.MethodPost)
r.HandleFunc("/api/v1/users/role", logic.SecurityCheck(true, http.HandlerFunc(updateRole))).Methods(http.MethodPut) r.HandleFunc("/api/v1/users/role", logic.SecurityCheck(true, http.HandlerFunc(updateRole))).Methods(http.MethodPut)
r.HandleFunc("/api/v1/users/role", logic.SecurityCheck(true, http.HandlerFunc(deleteRole))).Methods(http.MethodDelete) r.HandleFunc("/api/v1/users/role", logic.SecurityCheck(true, http.HandlerFunc(deleteRole))).Methods(http.MethodDelete)

10
pro/logic/security.go
View file

@ -47,7 +47,7 @@ func NetworkPermissionsCheck(username string, r *http.Request) error {
// check for global network role // check for global network role
if netRoles, ok := user.NetworkRoles[models.AllNetworks]; ok { if netRoles, ok := user.NetworkRoles[models.AllNetworks]; ok {
for netRoleID := range netRoles { for netRoleID := range netRoles {
err = checkNetworkAccessPermissions(netRoleID, username, r.Method, targetRsrc, targetRsrcID) err = checkNetworkAccessPermissions(netRoleID, username, r.Method, targetRsrc, targetRsrcID, netID)
if err == nil { if err == nil {
return nil return nil
} }
@ -55,7 +55,7 @@ func NetworkPermissionsCheck(username string, r *http.Request) error {
} }
netRoles := user.NetworkRoles[models.NetworkID(netID)] netRoles := user.NetworkRoles[models.NetworkID(netID)]
for netRoleID := range netRoles { for netRoleID := range netRoles {
err = checkNetworkAccessPermissions(netRoleID, username, r.Method, targetRsrc, targetRsrcID) err = checkNetworkAccessPermissions(netRoleID, username, r.Method, targetRsrc, targetRsrcID, netID)
if err == nil { if err == nil {
return nil return nil
} }
@ -65,7 +65,7 @@ func NetworkPermissionsCheck(username string, r *http.Request) error {
if err == nil { if err == nil {
netRoles := userG.NetworkRoles[models.NetworkID(netID)] netRoles := userG.NetworkRoles[models.NetworkID(netID)]
for netRoleID := range netRoles { for netRoleID := range netRoles {
err = checkNetworkAccessPermissions(netRoleID, username, r.Method, targetRsrc, targetRsrcID) err = checkNetworkAccessPermissions(netRoleID, username, r.Method, targetRsrc, targetRsrcID, netID)
if err == nil { if err == nil {
return nil return nil
} }
@ -76,7 +76,7 @@ func NetworkPermissionsCheck(username string, r *http.Request) error {
return errors.New("access denied") return errors.New("access denied")
} }
func checkNetworkAccessPermissions(netRoleID models.UserRoleID, username, reqScope, targetRsrc, targetRsrcID string) error { func checkNetworkAccessPermissions(netRoleID models.UserRoleID, username, reqScope, targetRsrc, targetRsrcID, netID string) error {
networkPermissionScope, err := logic.GetRole(netRoleID) networkPermissionScope, err := logic.GetRole(netRoleID)
if err != nil { if err != nil {
return err return err
@ -96,7 +96,7 @@ func checkNetworkAccessPermissions(netRoleID models.UserRoleID, username, reqSco
if allRsrcsTypePermissionScope, ok := rsrcPermissionScope[models.RsrcID(fmt.Sprintf("all_%s", targetRsrc))]; ok { if allRsrcsTypePermissionScope, ok := rsrcPermissionScope[models.RsrcID(fmt.Sprintf("all_%s", targetRsrc))]; ok {
// handle extclient apis here // handle extclient apis here
if models.RsrcType(targetRsrc) == models.ExtClientsRsrc && allRsrcsTypePermissionScope.SelfOnly && targetRsrcID != "" { if models.RsrcType(targetRsrc) == models.ExtClientsRsrc && allRsrcsTypePermissionScope.SelfOnly && targetRsrcID != "" {
extclient, err := logic.GetExtClient(targetRsrcID, networkPermissionScope.NetworkID.String()) extclient, err := logic.GetExtClient(targetRsrcID, netID)
if err != nil { if err != nil {
return err return err
} }

8
pro/logic/user_mgmt.go
View file

@ -576,7 +576,13 @@ func GetFilteredNodesByUserAccess(user models.User, nodes []models.Node) (filter
if err != nil { if err != nil {
continue continue
} }
networkNodes := logic.GetNetworkNodesMemory(nodes, userPermTemplate.NetworkID.String()) var networkNodes []models.Node
if userPermTemplate.NetworkID == models.AllNetworks {
networkNodes = nodes
} else {
networkNodes = logic.GetNetworkNodesMemory(nodes, userPermTemplate.NetworkID.String())
}
if userPermTemplate.FullAccess { if userPermTemplate.FullAccess {
for _, node := range networkNodes { for _, node := range networkNodes {
nodesMap[node.ID.String()] = struct{}{} nodesMap[node.ID.String()] = struct{}{}