gravitl/netmaker
1
1
Fork 0
mirror of https://github.com/gravitl/netmaker.git synced 2025-09-08 06:04:20 +08:00
Code Issues Projects Releases Packages Wiki Activity

avoid gateway role migration

Browse source
This commit is contained in:
abhishek9686 2024-10-27 23:31:30 +04:00
parent 502a15ea14
commit bf88a80ea2
2 changed files with 152 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
pro/controllers/users.go
View file

@ -834,7 +834,7 @@ func getUserRemoteAccessNetworks(w http.ResponseWriter, r *http.Request) {
userGws := make(map[string][]models.UserRemoteGws)
networks := []models.Network{}
networkMap := make(map[string]struct{})
userGwNodes := proLogic.GetUserRAGNodesV1(*user)
userGwNodes := proLogic.GetUserRAGNodes(*user)
for _, node := range userGwNodes {
network, err := logic.GetNetwork(node.Network)
if err != nil {
@ -876,7 +876,7 @@ func getUserRemoteAccessNetworkGateways(w http.ResponseWriter, r *http.Request)
}
userGws := []models.UserRAGs{}
userGwNodes := proLogic.GetUserRAGNodesV1(*user)
userGwNodes := proLogic.GetUserRAGNodes(*user)
for _, node := range userGwNodes {
if node.Network != network {
continue
@ -931,7 +931,7 @@ func getRemoteAccessGatewayConf(w http.ResponseWriter, r *http.Request) {
return
}
userGwNodes := proLogic.GetUserRAGNodesV1(*user)
userGwNodes := proLogic.GetUserRAGNodes(*user)
if _, ok := userGwNodes[remoteGwID]; !ok {
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("access denied"), "forbidden"))
return
@ -1075,7 +1075,7 @@ func getUserRemoteAccessGwsV1(w http.ResponseWriter, r *http.Request) {
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
return
}
userGwNodes := proLogic.GetUserRAGNodesV1(*user)
userGwNodes := proLogic.GetUserRAGNodes(*user)
for _, extClient := range allextClients {
node, ok := userGwNodes[extClient.IngressGatewayID]
if !ok {

148
pro/logic/user_mgmt.go
View file

@ -7,6 +7,7 @@ import (
"time"
"github.com/gravitl/netmaker/database"
"github.com/gravitl/netmaker/logger"
"github.com/gravitl/netmaker/logic"
"github.com/gravitl/netmaker/models"
"github.com/gravitl/netmaker/mq"
@ -555,6 +556,153 @@ func GetUserRAGNodesV1(user models.User) (gws map[string]models.Node) {
return
}
func GetUserRAGNodes(user models.User) (gws map[string]models.Node) {
gws = make(map[string]models.Node)
userGwAccessScope := GetUserNetworkRolesWithRemoteVPNAccess(user)
logger.Log(3, fmt.Sprintf("User Gw Access Scope: %+v", userGwAccessScope))
_, allNetAccess := userGwAccessScope["*"]
nodes, err := logic.GetAllNodes()
if err != nil {
return
}
for _, node := range nodes {
if node.IsIngressGateway && !node.PendingDelete {
if allNetAccess {
gws[node.ID.String()] = node
} else {
gwRsrcMap := userGwAccessScope[models.NetworkID(node.Network)]
scope, ok := gwRsrcMap[models.AllRemoteAccessGwRsrcID]
if !ok {
if scope, ok = gwRsrcMap[models.RsrcID(node.ID.String())]; !ok {
continue
}
}
if scope.VPNaccess {
gws[node.ID.String()] = node
}
}
}
}
return
}
// GetUserNetworkRoles - get user network roles
func GetUserNetworkRolesWithRemoteVPNAccess(user models.User) (gwAccess map[models.NetworkID]map[models.RsrcID]models.RsrcPermissionScope) {
gwAccess = make(map[models.NetworkID]map[models.RsrcID]models.RsrcPermissionScope)
platformRole, err := logic.GetRole(user.PlatformRoleID)
if err != nil {
return
}
if platformRole.FullAccess {
gwAccess[models.NetworkID("*")] = make(map[models.RsrcID]models.RsrcPermissionScope)
return
}
if _, ok := user.NetworkRoles[models.AllNetworks]; ok {
gwAccess[models.NetworkID("*")] = make(map[models.RsrcID]models.RsrcPermissionScope)
}
if len(user.UserGroups) > 0 {
for gID := range user.UserGroups {
userG, err := GetUserGroup(gID)
if err != nil {
continue
}
for netID, roleMap := range userG.NetworkRoles {
for roleID := range roleMap {
role, err := logic.GetRole(roleID)
if err == nil {
if role.FullAccess {
gwAccess[netID] = map[models.RsrcID]models.RsrcPermissionScope{
models.AllRemoteAccessGwRsrcID: {
Create: true,
Read: true,
Update: true,
VPNaccess: true,
Delete: true,
},
models.AllExtClientsRsrcID: {
Create: true,
Read: true,
Update: true,
Delete: true,
},
}
break
}
if rsrcsMap, ok := role.NetworkLevelAccess[models.RemoteAccessGwRsrc]; ok {
if permissions, ok := rsrcsMap[models.AllRemoteAccessGwRsrcID]; ok && permissions.VPNaccess {
if len(gwAccess[netID]) == 0 {
gwAccess[netID] = make(map[models.RsrcID]models.RsrcPermissionScope)
}
gwAccess[netID][models.AllRemoteAccessGwRsrcID] = permissions
break
} else {
for gwID, scope := range rsrcsMap {
if scope.VPNaccess {
if len(gwAccess[netID]) == 0 {
gwAccess[netID] = make(map[models.RsrcID]models.RsrcPermissionScope)
}
gwAccess[netID][gwID] = scope
}
}
}
}
}
}
}
}
}
for netID, roleMap := range user.NetworkRoles {
for roleID := range roleMap {
role, err := logic.GetRole(roleID)
if err == nil {
if role.FullAccess {
gwAccess[netID] = map[models.RsrcID]models.RsrcPermissionScope{
models.AllRemoteAccessGwRsrcID: {
Create: true,
Read: true,
Update: true,
VPNaccess: true,
Delete: true,
},
models.AllExtClientsRsrcID: {
Create: true,
Read: true,
Update: true,
Delete: true,
},
}
break
}
if rsrcsMap, ok := role.NetworkLevelAccess[models.RemoteAccessGwRsrc]; ok {
if permissions, ok := rsrcsMap[models.AllRemoteAccessGwRsrcID]; ok && permissions.VPNaccess {
if len(gwAccess[netID]) == 0 {
gwAccess[netID] = make(map[models.RsrcID]models.RsrcPermissionScope)
}
gwAccess[netID][models.AllRemoteAccessGwRsrcID] = permissions
break
} else {
for gwID, scope := range rsrcsMap {
if scope.VPNaccess {
if len(gwAccess[netID]) == 0 {
gwAccess[netID] = make(map[models.RsrcID]models.RsrcPermissionScope)
}
gwAccess[netID][gwID] = scope
}
}
}
}
}
}
}
return
}
func GetFilteredNodesByUserAccess(user models.User, nodes []models.Node) (filteredNodes []models.Node) {
nodesMap := make(map[string]struct{})