gravitl/netmaker
1
1
Fork 0
mirror of https://github.com/gravitl/netmaker.git synced 2025-10-03 10:24:24 +08:00
Code Issues Projects Releases Packages Wiki Activity

feat(go): refactor extclient cleanup on group network roles changes;

Browse source
This commit is contained in:
Vishal Dalwadi 2025-08-21 14:05:48 +05:30
parent 87f550d027
commit b4d5564366
2 changed files with 49 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
pro/controllers/users.go
View file

@ -690,7 +690,7 @@ func updateUserGroup(w http.ResponseWriter, r *http.Request) {
}() }()
// reset configs for service user // reset configs for service user
go proLogic.UpdatesUserGwAccessOnGrpUpdates(currUserG.NetworkRoles, userGroup.NetworkRoles) go proLogic.UpdatesUserGwAccessOnGrpUpdates(userGroup.ID, currUserG.NetworkRoles, userGroup.NetworkRoles)
logic.ReturnSuccessResponseWithJson(w, r, userGroup, "updated user group") logic.ReturnSuccessResponseWithJson(w, r, userGroup, "updated user group")
} }
@ -781,7 +781,7 @@ func deleteUserGroup(w http.ResponseWriter, r *http.Request) {
} }
}() }()
go proLogic.UpdatesUserGwAccessOnGrpUpdates(userG.NetworkRoles, make(map[models.NetworkID]map[models.UserRoleID]struct{})) go proLogic.UpdatesUserGwAccessOnGrpUpdates(userG.ID, userG.NetworkRoles, make(map[models.NetworkID]map[models.UserRoleID]struct{}))
logic.ReturnSuccessResponseWithJson(w, r, nil, "deleted user group") logic.ReturnSuccessResponseWithJson(w, r, nil, "deleted user group")
} }

72
pro/logic/user_mgmt.go
View file

@ -1079,27 +1079,14 @@ func UpdatesUserGwAccessOnRoleUpdates(currNetworkAccess,
} }
} }
func UpdatesUserGwAccessOnGrpUpdates(oldNetworkRoles, newNetworkRoles map[models.NetworkID]map[models.UserRoleID]struct{}) { func UpdatesUserGwAccessOnGrpUpdates(groupID models.UserGroupID, oldNetworkRoles, newNetworkRoles map[models.NetworkID]map[models.UserRoleID]struct{}) {
networkChangeMap := make(map[models.NetworkID]map[models.UserRoleID]struct{}) networkRemovedMap := make(map[models.NetworkID]struct{})
for netID, networkUserRoles := range oldNetworkRoles { for netID := range oldNetworkRoles {
if _, ok := newNetworkRoles[netID]; !ok { if _, ok := newNetworkRoles[netID]; !ok {
for netRoleID := range networkUserRoles { networkRemovedMap[netID] = struct{}{}
if _, ok := networkChangeMap[netID]; !ok {
networkChangeMap[netID] = make(map[models.UserRoleID]struct{})
}
networkChangeMap[netID][netRoleID] = struct{}{}
}
} else {
for netRoleID := range networkUserRoles {
if _, ok := newNetworkRoles[netID][netRoleID]; !ok {
if _, ok := networkChangeMap[netID]; !ok {
networkChangeMap[netID] = make(map[models.UserRoleID]struct{})
}
networkChangeMap[netID][netRoleID] = struct{}{}
}
}
} }
} }
extclients, err := logic.GetAllExtClients() extclients, err := logic.GetAllExtClients()
if err != nil { if err != nil {
slog.Error("failed to fetch extclients", "error", err) slog.Error("failed to fetch extclients", "error", err)
@ -1109,19 +1096,44 @@ func UpdatesUserGwAccessOnGrpUpdates(oldNetworkRoles, newNetworkRoles map[models
if err != nil { if err != nil {
return return
} }
for _, extclient := range extclients {
if _, ok := networkChangeMap[models.NetworkID(extclient.Network)]; ok { for _, extclient := range extclients {
// this extclient's network was removed from group's network roles. var shouldDelete bool
if user, ok := userMap[extclient.OwnerID]; ok { user, ok := userMap[extclient.OwnerID]
// super-admins and admins have complete access to the network. if !ok {
// platform users, at the very least, have access to connect to // user does not exist, delete extclient.
// the network. shouldDelete = true
// service users have no access to the network. } else {
// hence, we delete the extclient and clean up the peers. if user.PlatformRoleID == models.SuperAdminRole || user.PlatformRoleID == models.AdminRole {
if user.PlatformRoleID != models.ServiceUser { // Super-admin and Admin's access is not determined by group membership
continue // or network roles. Even if a network is removed from the group, they
// continue to have access to the network.
// So, no need to delete the extclient.
shouldDelete = false
} else {
_, hasAccess := user.NetworkRoles[models.NetworkID(extclient.Network)]
if hasAccess {
// The user has access to the network by themselves and not by
// virtue of being a member of the group.
// So, no need to delete the extclient.
shouldDelete = false
} else {
_, userInGroup := user.UserGroups[groupID]
_, networkRemoved := networkRemovedMap[models.NetworkID(extclient.Network)]
if userInGroup && networkRemoved {
// This group no longer provides it's members access to the
// network.
// This user is a member of the group and has no direct
// access to the network (either by its platform role or by
// network roles).
// So, delete the extclient.
shouldDelete = true
} }
}
}
}
if shouldDelete {
err = logic.DeleteExtClientAndCleanup(extclient) err = logic.DeleteExtClientAndCleanup(extclient)
if err != nil { if err != nil {
slog.Error("failed to delete extclient", slog.Error("failed to delete extclient",
@ -1132,10 +1144,8 @@ func UpdatesUserGwAccessOnGrpUpdates(oldNetworkRoles, newNetworkRoles map[models
} }
} }
} }
} }
}
if servercfg.IsDNSMode() { if servercfg.IsDNSMode() {
logic.SetDNS() logic.SetDNS()
} }