mirror of
https://github.com/gravitl/netmaker.git
synced 2024-09-20 15:26:04 +08:00
handle network nodes
This commit is contained in:
parent
9abc892c5a
commit
76dda15a31
|
@ -49,6 +49,7 @@ func userMiddleWare(handler http.Handler) http.Handler {
|
|||
}
|
||||
if strings.Contains(r.URL.Path, "metrics") {
|
||||
r.Header.Set("RSRC_TYPE", models.MetricRsrc.String())
|
||||
r.Header.Set("TARGET_RSRC", models.MetricRsrc.String())
|
||||
}
|
||||
if keyID, ok := params["keyID"]; ok {
|
||||
r.Header.Set("TARGET_RSRC_ID", keyID)
|
||||
|
|
|
@ -286,24 +286,40 @@ func getNetworkNodes(w http.ResponseWriter, r *http.Request) {
|
|||
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
||||
return
|
||||
}
|
||||
networkRoles := user.NetworkRoles[models.NetworkID(networkName)]
|
||||
for networkRoleID := range networkRoles {
|
||||
userPermTemplate, err := logic.GetRole(networkRoleID)
|
||||
if err != nil {
|
||||
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
||||
return
|
||||
}
|
||||
if !userPermTemplate.FullAccess {
|
||||
filteredNodes := []models.Node{}
|
||||
userPlatformRole, err := logic.GetRole(user.PlatformRoleID)
|
||||
if err != nil {
|
||||
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
||||
return
|
||||
}
|
||||
filteredNodes := []models.Node{}
|
||||
if !userPlatformRole.FullAccess {
|
||||
nodesMap := make(map[string]struct{})
|
||||
networkRoles := user.NetworkRoles[models.NetworkID(networkName)]
|
||||
for networkRoleID := range networkRoles {
|
||||
userPermTemplate, err := logic.GetRole(networkRoleID)
|
||||
if err != nil {
|
||||
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
|
||||
return
|
||||
}
|
||||
if userPermTemplate.FullAccess {
|
||||
break
|
||||
}
|
||||
if rsrcPerms, ok := userPermTemplate.NetworkLevelAccess[models.RemoteAccessGwRsrc]; ok {
|
||||
if _, ok := rsrcPerms[models.AllRemoteAccessGwRsrcID]; ok {
|
||||
for _, node := range nodes {
|
||||
if _, ok := nodesMap[node.ID.String()]; ok {
|
||||
continue
|
||||
}
|
||||
if node.IsIngressGateway {
|
||||
nodesMap[node.ID.String()] = struct{}{}
|
||||
filteredNodes = append(filteredNodes, node)
|
||||
}
|
||||
}
|
||||
} else {
|
||||
for gwID, scope := range rsrcPerms {
|
||||
if _, ok := nodesMap[gwID.String()]; ok {
|
||||
continue
|
||||
}
|
||||
if scope.Read {
|
||||
gwNode, err := logic.GetNodeByID(gwID.String())
|
||||
if err == nil && gwNode.IsIngressGateway {
|
||||
|
@ -313,11 +329,13 @@ func getNetworkNodes(w http.ResponseWriter, r *http.Request) {
|
|||
}
|
||||
}
|
||||
}
|
||||
nodes = filteredNodes
|
||||
} else {
|
||||
break
|
||||
|
||||
}
|
||||
}
|
||||
if len(filteredNodes) > 0 {
|
||||
nodes = filteredNodes
|
||||
}
|
||||
|
||||
// returns all the nodes in JSON/API format
|
||||
apiNodes := logic.GetAllNodesAPI(nodes[:])
|
||||
logger.Log(2, r.Header.Get("user"), "fetched nodes on network", networkName)
|
||||
|
|
|
@ -60,6 +60,7 @@ func networkPermissionsCheck(username string, r *http.Request) error {
|
|||
if targetRsrc == models.MetricRsrc.String() {
|
||||
return nil
|
||||
}
|
||||
|
||||
// check if user has scope for target resource
|
||||
// TODO - differentitate between global scope and network scope apis
|
||||
netRoles := user.NetworkRoles[models.NetworkID(netID)]
|
||||
|
@ -95,6 +96,9 @@ func checkNetworkAccessPermissions(netRoleID models.UserRole, username, reqScope
|
|||
return nil
|
||||
}
|
||||
rsrcPermissionScope, ok := networkPermissionScope.NetworkLevelAccess[models.RsrcType(targetRsrc)]
|
||||
if targetRsrc == models.HostRsrc.String() && !ok {
|
||||
rsrcPermissionScope, ok = networkPermissionScope.NetworkLevelAccess[models.RemoteAccessGwRsrc]
|
||||
}
|
||||
if !ok {
|
||||
return errors.New("access denied")
|
||||
}
|
||||
|
@ -116,6 +120,14 @@ func checkNetworkAccessPermissions(netRoleID models.UserRole, username, reqScope
|
|||
}
|
||||
|
||||
}
|
||||
if targetRsrc == models.HostRsrc.String() {
|
||||
if allRsrcsTypePermissionScope, ok := rsrcPermissionScope[models.RsrcID(fmt.Sprintf("all_%s", models.RemoteAccessGwRsrc))]; ok {
|
||||
err = checkPermissionScopeWithReqMethod(allRsrcsTypePermissionScope, reqScope)
|
||||
if err == nil {
|
||||
return nil
|
||||
}
|
||||
}
|
||||
}
|
||||
logger.Log(0, "NET MIDDL----> 5", string(netRoleID))
|
||||
if targetRsrcID == "" {
|
||||
return errors.New("target rsrc id is empty")
|
||||
|
|
Loading…
Reference in a new issue