handle network nodes

controllers/middleware.go

@@ -49,6 +49,7 @@ func userMiddleWare(handler http.Handler) http.Handler {
 		}
 		if strings.Contains(r.URL.Path, "metrics") {
 			r.Header.Set("RSRC_TYPE", models.MetricRsrc.String())
+			r.Header.Set("TARGET_RSRC", models.MetricRsrc.String())
 		}
 		if keyID, ok := params["keyID"]; ok {
 			r.Header.Set("TARGET_RSRC_ID", keyID)

controllers/node.go

@@ -286,24 +286,40 @@ func getNetworkNodes(w http.ResponseWriter, r *http.Request) {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
 		return
 	}
-	networkRoles := user.NetworkRoles[models.NetworkID(networkName)]
-	for networkRoleID := range networkRoles {
-		userPermTemplate, err := logic.GetRole(networkRoleID)
-		if err != nil {
-			logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
-			return
-		}
-		if !userPermTemplate.FullAccess {
-			filteredNodes := []models.Node{}
+	userPlatformRole, err := logic.GetRole(user.PlatformRoleID)
+	if err != nil {
+		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
+		return
+	}
+	filteredNodes := []models.Node{}
+	if !userPlatformRole.FullAccess {
+		nodesMap := make(map[string]struct{})
+		networkRoles := user.NetworkRoles[models.NetworkID(networkName)]
+		for networkRoleID := range networkRoles {
+			userPermTemplate, err := logic.GetRole(networkRoleID)
+			if err != nil {
+				logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
+				return
+			}
+			if userPermTemplate.FullAccess {
+				break
+			}
 			if rsrcPerms, ok := userPermTemplate.NetworkLevelAccess[models.RemoteAccessGwRsrc]; ok {
 				if _, ok := rsrcPerms[models.AllRemoteAccessGwRsrcID]; ok {
 					for _, node := range nodes {
+						if _, ok := nodesMap[node.ID.String()]; ok {
+							continue
+						}
 						if node.IsIngressGateway {
+							nodesMap[node.ID.String()] = struct{}{}
 							filteredNodes = append(filteredNodes, node)
 						}
 					}
 				} else {
 					for gwID, scope := range rsrcPerms {
+						if _, ok := nodesMap[gwID.String()]; ok {
+							continue
+						}
 						if scope.Read {
 							gwNode, err := logic.GetNodeByID(gwID.String())
 							if err == nil && gwNode.IsIngressGateway {
@@ -313,11 +329,13 @@ func getNetworkNodes(w http.ResponseWriter, r *http.Request) {
 					}
 				}
 			}
-			nodes = filteredNodes
-		} else {
-			break
+
 		}
 	}
+	if len(filteredNodes) > 0 {
+		nodes = filteredNodes
+	}
+
 	// returns all the nodes in JSON/API format
 	apiNodes := logic.GetAllNodesAPI(nodes[:])
 	logger.Log(2, r.Header.Get("user"), "fetched nodes on network", networkName)

logic/security.go

@@ -60,6 +60,7 @@ func networkPermissionsCheck(username string, r *http.Request) error {
 	if targetRsrc == models.MetricRsrc.String() {
 		return nil
 	}
+
 	// check if user has scope for target resource
 	// TODO - differentitate between global scope and network scope apis
 	netRoles := user.NetworkRoles[models.NetworkID(netID)]
@@ -95,6 +96,9 @@ func checkNetworkAccessPermissions(netRoleID models.UserRole, username, reqScope
 		return nil
 	}
 	rsrcPermissionScope, ok := networkPermissionScope.NetworkLevelAccess[models.RsrcType(targetRsrc)]
+	if targetRsrc == models.HostRsrc.String() && !ok {
+		rsrcPermissionScope, ok = networkPermissionScope.NetworkLevelAccess[models.RemoteAccessGwRsrc]
+	}
 	if !ok {
 		return errors.New("access denied")
 	}
@@ -116,6 +120,14 @@ func checkNetworkAccessPermissions(netRoleID models.UserRole, username, reqScope
 		}
 
 	}
+	if targetRsrc == models.HostRsrc.String() {
+		if allRsrcsTypePermissionScope, ok := rsrcPermissionScope[models.RsrcID(fmt.Sprintf("all_%s", models.RemoteAccessGwRsrc))]; ok {
+			err = checkPermissionScopeWithReqMethod(allRsrcsTypePermissionScope, reqScope)
+			if err == nil {
+				return nil
+			}
+		}
+	}
 	logger.Log(0, "NET MIDDL----> 5", string(netRoleID))
 	if targetRsrcID == "" {
 		return errors.New("target rsrc id is empty")