mirror of
https://github.com/gravitl/netmaker.git
synced 2024-09-20 15:26:04 +08:00
NET-811: block normal user login from accessing dashboard (#2724)
* block normal user login from accessing dashboard * header change * allow from ui header * allow from ui header * check for user role after decoding * block oauth login for normal user * handle other oauth provider callback funcs for user login
This commit is contained in:
parent
72f84c1355
commit
b69bf60160
|
@ -66,6 +66,15 @@ func handleAzureCallback(w http.ResponseWriter, r *http.Request) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
user, err := logic.GetUser(content.Email)
|
||||||
|
if err != nil {
|
||||||
|
handleOauthUserNotFound(w)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if !(user.IsSuperAdmin || user.IsAdmin) {
|
||||||
|
handleOauthUserNotAllowed(w)
|
||||||
|
return
|
||||||
|
}
|
||||||
var newPass, fetchErr = fetchPassValue("")
|
var newPass, fetchErr = fetchPassValue("")
|
||||||
if fetchErr != nil {
|
if fetchErr != nil {
|
||||||
return
|
return
|
||||||
|
|
|
@ -10,6 +10,31 @@ const oauthNotConfigured = `<!DOCTYPE html><html>
|
||||||
</body>
|
</body>
|
||||||
</html>`
|
</html>`
|
||||||
|
|
||||||
|
const userNotAllowed = `<!DOCTYPE html><html>
|
||||||
|
<body>
|
||||||
|
<h3>Only Admins are allowed to access Dashboard.</h3>
|
||||||
|
<p>Non-Admins can access the netmaker networks using <a href="https://docs.netmaker.io/pro/rac.html" target="_blank" rel="noopener">RemoteAccessClient.</a></p>
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
|
`
|
||||||
|
const userNotFound = `<!DOCTYPE html><html>
|
||||||
|
<body>
|
||||||
|
<h3>User Not Found.</h3>
|
||||||
|
</body>
|
||||||
|
</html>`
|
||||||
|
|
||||||
|
func handleOauthUserNotFound(response http.ResponseWriter) {
|
||||||
|
response.Header().Set("Content-Type", "text/html; charset=utf-8")
|
||||||
|
response.WriteHeader(http.StatusNotFound)
|
||||||
|
response.Write([]byte(userNotFound))
|
||||||
|
}
|
||||||
|
|
||||||
|
func handleOauthUserNotAllowed(response http.ResponseWriter) {
|
||||||
|
response.Header().Set("Content-Type", "text/html; charset=utf-8")
|
||||||
|
response.WriteHeader(http.StatusForbidden)
|
||||||
|
response.Write([]byte(userNotAllowed))
|
||||||
|
}
|
||||||
|
|
||||||
// handleOauthNotConfigured - returns an appropriate html page when oauth is not configured on netmaker server but an oauth login was attempted
|
// handleOauthNotConfigured - returns an appropriate html page when oauth is not configured on netmaker server but an oauth login was attempted
|
||||||
func handleOauthNotConfigured(response http.ResponseWriter) {
|
func handleOauthNotConfigured(response http.ResponseWriter) {
|
||||||
response.Header().Set("Content-Type", "text/html; charset=utf-8")
|
response.Header().Set("Content-Type", "text/html; charset=utf-8")
|
||||||
|
|
|
@ -66,6 +66,15 @@ func handleGithubCallback(w http.ResponseWriter, r *http.Request) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
user, err := logic.GetUser(content.Email)
|
||||||
|
if err != nil {
|
||||||
|
handleOauthUserNotFound(w)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if !(user.IsSuperAdmin || user.IsAdmin) {
|
||||||
|
handleOauthUserNotAllowed(w)
|
||||||
|
return
|
||||||
|
}
|
||||||
var newPass, fetchErr = fetchPassValue("")
|
var newPass, fetchErr = fetchPassValue("")
|
||||||
if fetchErr != nil {
|
if fetchErr != nil {
|
||||||
return
|
return
|
||||||
|
|
|
@ -68,6 +68,15 @@ func handleGoogleCallback(w http.ResponseWriter, r *http.Request) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
user, err := logic.GetUser(content.Email)
|
||||||
|
if err != nil {
|
||||||
|
handleOauthUserNotFound(w)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if !(user.IsSuperAdmin || user.IsAdmin) {
|
||||||
|
handleOauthUserNotAllowed(w)
|
||||||
|
return
|
||||||
|
}
|
||||||
var newPass, fetchErr = fetchPassValue("")
|
var newPass, fetchErr = fetchPassValue("")
|
||||||
if fetchErr != nil {
|
if fetchErr != nil {
|
||||||
return
|
return
|
||||||
|
|
|
@ -79,6 +79,15 @@ func handleOIDCCallback(w http.ResponseWriter, r *http.Request) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
user, err := logic.GetUser(content.Email)
|
||||||
|
if err != nil {
|
||||||
|
handleOauthUserNotFound(w)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if !(user.IsSuperAdmin || user.IsAdmin) {
|
||||||
|
handleOauthUserNotAllowed(w)
|
||||||
|
return
|
||||||
|
}
|
||||||
var newPass, fetchErr = fetchPassValue("")
|
var newPass, fetchErr = fetchPassValue("")
|
||||||
if fetchErr != nil {
|
if fetchErr != nil {
|
||||||
return
|
return
|
||||||
|
|
|
@ -41,7 +41,7 @@ func HandleRESTRequests(wg *sync.WaitGroup, ctx context.Context) {
|
||||||
|
|
||||||
// Currently allowed dev origin is all. Should change in prod
|
// Currently allowed dev origin is all. Should change in prod
|
||||||
// should consider analyzing the allowed methods further
|
// should consider analyzing the allowed methods further
|
||||||
headersOk := handlers.AllowedHeaders([]string{"Access-Control-Allow-Origin", "X-Requested-With", "Content-Type", "authorization"})
|
headersOk := handlers.AllowedHeaders([]string{"Access-Control-Allow-Origin", "X-Requested-With", "Content-Type", "authorization", "From-Ui"})
|
||||||
originsOk := handlers.AllowedOrigins(strings.Split(servercfg.GetAllowedOrigin(), ","))
|
originsOk := handlers.AllowedOrigins(strings.Split(servercfg.GetAllowedOrigin(), ","))
|
||||||
methodsOk := handlers.AllowedMethods([]string{http.MethodGet, http.MethodPut, http.MethodPost, http.MethodDelete})
|
methodsOk := handlers.AllowedMethods([]string{http.MethodGet, http.MethodPut, http.MethodPost, http.MethodDelete})
|
||||||
|
|
||||||
|
|
|
@ -71,6 +71,20 @@ func authenticateUser(response http.ResponseWriter, request *http.Request) {
|
||||||
logic.ReturnErrorResponse(response, request, errorResponse)
|
logic.ReturnErrorResponse(response, request, errorResponse)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
if val := request.Header.Get("From-Ui"); val == "true" {
|
||||||
|
// request came from UI, if normal user block Login
|
||||||
|
user, err := logic.GetUser(authRequest.UserName)
|
||||||
|
if err != nil {
|
||||||
|
logger.Log(0, authRequest.UserName, "user validation failed: ",
|
||||||
|
err.Error())
|
||||||
|
logic.ReturnErrorResponse(response, request, logic.FormatError(err, "unauthorized"))
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if !(user.IsAdmin || user.IsSuperAdmin) {
|
||||||
|
logic.ReturnErrorResponse(response, request, logic.FormatError(errors.New("only admins can access dashboard"), "unauthorized"))
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
username := authRequest.UserName
|
username := authRequest.UserName
|
||||||
jwt, err := logic.VerifyAuthRequest(authRequest)
|
jwt, err := logic.VerifyAuthRequest(authRequest)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -119,7 +133,7 @@ func authenticateUser(response http.ResponseWriter, request *http.Request) {
|
||||||
if client.OwnerID == username && !client.Enabled {
|
if client.OwnerID == username && !client.Enabled {
|
||||||
slog.Info(fmt.Sprintf("enabling ext client %s for user %s due to RAC autodisabling feature", client.ClientID, client.OwnerID))
|
slog.Info(fmt.Sprintf("enabling ext client %s for user %s due to RAC autodisabling feature", client.ClientID, client.OwnerID))
|
||||||
if newClient, err := logic.ToggleExtClientConnectivity(&client, true); err != nil {
|
if newClient, err := logic.ToggleExtClientConnectivity(&client, true); err != nil {
|
||||||
slog.Error("error disabling ext client in RAC autodisable hook", "error", err)
|
slog.Error("error enabling ext client in RAC autodisable hook", "error", err)
|
||||||
continue // dont return but try for other clients
|
continue // dont return but try for other clients
|
||||||
} else {
|
} else {
|
||||||
// publish peer update to ingress gateway
|
// publish peer update to ingress gateway
|
||||||
|
|
Loading…
Reference in a new issue